SQL Injection Vulnerability in HikeShop Joomla Plugin #2
Comments
|
But in order to do that, you need to have access in administrator, if an attacker have access there it is already too late, right? |
|
@oxido21 It's still a problem because with just a backend access to the order area, you can get access to all the data in the database, even things you're not suppose to get access to. But sure, it's less of a problem than if you could do that from the frontend. That would be the worst of the worst. Thanks for the report @k4k4r07 We're looking into it. |
|
Yeah you require some initial access to exploit the vulnerability, and this has been incorporated in the CVSS already i.e why the severity is High not Critical @oxido21 |
|
We just released a new version of HikaShop, the 4.7.3, which includes several patches for this vulnerability. For anyone stumbling on this page, we recommend updating your HikaShop if you have an older version of HikaShop. |
|
Wow @hikashop-nicolas This was fast than most of the prolific bug bounty program. Good job @hikashop-nicolas |
|
Hi @oxido21 @hikashop-nicolas Hope you are doing well, Can you get a CVE assigned to this vulnerability? |
|
Sure. I've submitted a CVE request. I'm waiting for an answer now. |
|
Thanks @hikashop-nicolas Have a nice day ahead :) |
Description
SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.
Structured Query Language (SQL) is a specialized programming language for sending queries to databases. The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements. If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system.
The extension for Joomla at https://extensions.joomla.org/extension/hikashop/ contain SQLInjection vulnerability
CVSS Score: 8.8 (High)
Steps To Reproduce
Components->HikaShop->OrdersNewEditbutton forAdditional InformationsectionConfigure any proxy tool such as Burp Suite with your browser
Turn on Burp Intercept
Save & Notifydata[order][payment]toatos_2') AND (SELECT 3277 FROM (SELECT(SLEEP(10)))WwdE)-- Fgmydata[order][payment]toatos_2') AND GTID_SUBSET(CONCAT(0x7170717171,(SELECT (ELT(7074=7074,1))),database()),7074)-- xcZMatos_2') AND GTID_SUBSET(CONCAT(0x7170717171,(SELECT (ELT(7074=7074,1))),version()),7074)-- xcZMSimilarly attacker can dump the entire database using this vulnerability.
Video POC
sqli.1.mp4
The vulnerability was discovered in colloboration with @SivaPothuluru-Sajja
The text was updated successfully, but these errors were encountered: