Skip to content
Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system <=2.6.0
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

#Exploit Title: Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system/<= 2.6.0 #Date: 28-12-2016 #Software Link: #Exploit Author: Javi Espejo(qemm) #Contact: #Website: #CVE: REQUESTED #Category: webapps

  1. Description

Any remote user can access to the victim server trough an SQLI Blind Injection on a component of aweb_cartwatching_system and aweb_cart_autosave This is the code that has the parameters with the parameters not sanitized (IMAGE 1 )

  1. Proof of Concept

I can access to the database through queries with the Timebased vector. I test with a client environment and I found that the paremeter POST view on responds to a vector as follows: The first request was

POST parameters: option view task

Then I saw an strange behavior on the web and then I see that the parameter view responds to an easy timebased query

Later I found the next payload

option=com_virtuemart&view=categorysearch' RLIKE (SELECT * FROM (SELECT(SLEEP(5)))sgjA) AND 'jHwz'='jHwz&task=smartSearch and it works and I can access to every database on the client system launching other queries.

  1. Solution:

Update to version 2.6.1 from the update center of joomla. The Joomla vel publish the vulnerability on Answer from Joomla VEL "We have added it to the VEL here:"



You can’t perform that action at this time.