Joomla! Component Blog Calendar – SQL Injection

• Exploit Database
• 37 阅读

• 作者： X-Cisadane
  日期： 2016-12-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40966/

• ========================================================================================== 
  Joomla com_blog_calendar SQL Injection Vulnerability 
  ========================================================================================== 
  
  :-------------------------------------------------------------------------------------------------------------------------: 
  : # Exploit Title : Joomla com_blog_calendar SQL Injection Vulnerability
  : # Date : 26th December 2016
  : # Author : X-Cisadane 
  : # CMS Name : Joomla 
  : # CMS Developer : http://joomlacode.org/gf/project/blog_calendar/ 
  : # Category : Web Application 
  : # Vulnerability : SQL Injection 
  : # Tested On : SQLMap 1.0.12.9#dev
  : # Greetz to : X-Code YogyaFree, ExploreCrew, CodeNesia, Bogor Hackers Community, Borneo Crew, Depok Cyber, Mantan 
  :-------------------------------------------------------------------------------------------------------------------------: 
  
  A SQL Injection Vulnerability has been discovered in the Joomla Module called com_blog_calendar. 
  The Vulnerability is located in the index.php?option=com_blog_calendar&modid=xxx Parameter. 
  Attackers are able to execute own SQL commands by usage of a GET Method Request with manipulated modid Value. 
  Attackers are able to read Database information by execution of own SQL commands. 
  
  DORKS (How to find the target) : 
  ================================
  inurl:/index.php?option=com_blog_calendar 
  Or use your own Google Dorks :) 
  
  Proof of Concept
  ================
  
  SQL Injection 
  PoC :
  http://[Site]/[Path]/index.php?option=com_blog_calendar&modid=['SQLi]