==========================================================================================
Joomla com_blog_calendar SQL Injection Vulnerability
==========================================================================================:-------------------------------------------------------------------------------------------------------------------------::# Exploit Title : Joomla com_blog_calendar SQL Injection Vulnerability:# Date : 26th December 2016:# Author : X-Cisadane :# CMS Name : Joomla :# CMS Developer : http://joomlacode.org/gf/project/blog_calendar/ :# Category : Web Application :# Vulnerability : SQL Injection :# Tested On : SQLMap 1.0.12.9#dev:# Greetz to : X-Code YogyaFree, ExploreCrew, CodeNesia, Bogor Hackers Community, Borneo Crew, Depok Cyber, Mantan :-------------------------------------------------------------------------------------------------------------------------:
A SQL Injection Vulnerability has been discovered in the Joomla Module called com_blog_calendar.
The Vulnerability is located in the index.php?option=com_blog_calendar&modid=xxx Parameter.
Attackers are able to execute own SQL commands by usage of a GET Method Request with manipulated modid Value.
Attackers are able to read Database information by execution of own SQL commands.
DORKS (How to find the target):================================
inurl:/index.php?option=com_blog_calendar
Or use your own Google Dorks :)
Proof of Concept
================
SQL Injection
PoC :
http://[Site]/[Path]/index.php?option=com_blog_calendar&modid=['SQLi]
