Joomla! Component J-MultipleHotelReservation Standard v6.0.2 - SQL Injection

vendor:

Joomla! Component J-MultipleHotelReservation Standard

by:

Ihsan Sencan

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Joomla! Component J-MultipleHotelReservation Standard

Affected Version From: 6.0.2

Affected Version To: 6.0.2

Patch Exists: NO

Related CWE: N/A

CPE: a:cmsjunkie:joomla_multi_hotel_reservation_standard

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win7 x64, Kali Linux x64

2017

Joomla! Component J-MultipleHotelReservation Standard v6.0.2 – SQL Injection

An attacker can exploit a SQL injection vulnerability in Joomla! Component J-MultipleHotelReservation Standard v6.0.2 by sending malicious SQL queries to the application. This can allow the attacker to gain access to sensitive information stored in the database, such as user credentials, or to modify the data stored in the database.

Mitigation:

Developers should always use parameterized queries, also known as prepared statements, when interacting with the database. This will ensure that user-supplied input is treated as a string value rather than as executable code.

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Joomla! Component J-MultipleHotelReservation Standard v6.0.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_jcruisereservation
# Date: 21.02.2017
# Vendor Homepage:  http://www.cmsjunkie.com/
# Software Buy: http://www.cmsjunkie.com/joomla_multi_hotel_reservation_standard
# Demo: http://hoteldemo.cmsjunkie.com/j3/multiple_standard/
# Version: 6.0.2
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jhotelreservation&tmpl=component&task=hotelratings.printRating&view=hotelratings&review_id=[SQL]
# Etc...
# # # # #