Joomla Spider Form Maker 3.4 and below SQL Injection

Joomla Spider Form Maker

######################
# Exploit Title : Joomla Spider Form Maker <= 3.4 SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://web-dorado.com/

# Software Link : http://web-dorado.com/products/joomla-form.html

# Dork Google: inurl:com_formmaker
                   

# Date : 2014-09-07

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
######################

# PoC Exploit:

http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]


"id" variable is not sanitized.

######################

# Vulnerability Disclosure Timeline:

2014-09-07:  Discovered vulnerability
2014-09-09:  Vendor Notification
2014-09-10:  Vendor Response/Feedback
2014-09-10:  Vendor Fix/Patch
2014-09-10:  Public Disclosure

#####################

Discovered By : Claudio Viviani
                http://www.homelab.it
        
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################