Joomla! Component Vik Rent Items v1.3 - SQL Injection

vendor:

Vik Rent Items e4j

by:

Ihsan Sencan

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Vik Rent Items e4j

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: NO

Related CWE: N/A

CPE: a:extensionsforjoomla:vik_rent_items_e4j

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win7 x64, Kali Linux x64

2017

Joomla! Component Vik Rent Items v1.3 – SQL Injection

A SQL injection vulnerability exists in Joomla! Component Vik Rent Items v1.3. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can allow the attacker to access or modify the application's data, or even execute system level commands.

Mitigation:

Developers should always use parameterized queries, also known as prepared statements, when interacting with the database. This will ensure that the user input is treated as a string value instead of part of the SQL query.

Source

Exploit-DB raw data:

# # # # #
# Exploit Title: Joomla! Component Vik Rent Items v1.3 - SQL Injection
# Google Dork: inurl:index.php?option=com_vikrentitems
# Date: 15.03.2017
# Vendor Homepage: https://extensionsforjoomla.com/
# Software : https://extensionsforjoomla.com/components-modules/vik-rent-items-e4j
# Demo: https://extensionsforjoomla.com/livedemo/vikrentitems/
# Version: 1.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/en/?option=com_vikrentitems&task=showprc&itemopt=[SQL]&days=2&pickup=1490790600&release=1490947200&place=[SQL]&Itemid=132
# ext4joo_vikrentitemsj3demo
# Etc..
# # # # #