Document Title: =============== iJoomla com_adagency 6.0.9 - SQL Injection Vulnerabilities Date: ===== 2018-01-04 References: =========== CVE-ID: ===== CVE-2018-5696 VL-ID: ===== 1927 Common Vulnerability Scoring System: ==================================== 7.1 Vulnerability Class: ==================== SQL Injection Introduction: ============= Ad Agency is the #1 advertising extension for Joomla! Start generating income from your traffic today by creating an advertising program. d Agency's front-end is completely responsive. It looks great on any device, no matter the size. Your advertising campaigns are now more flexible than ever! You’re free to choose the number of ads to display horizontally and vertically, so you can have several ads in one row, in more than one row, or create multiple columns of ads.It's completely up to you! (Copy of the Vendor Homepage: Abstract: ========= The vulnerability laboratory core research team discovered multiple remote sql-injection vulnerabilities in the iJoomla (Joomla) com_adagency 6.0.9 component. Report-Timeline: ================ 2018-01-04: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== iJoomla Product: com_adagency - Component (Joomla) v6.0.9 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== Multiple remote sql-injection vulnerabilities has been discovered in the official iJoomla com_adagency v6.0.9 content management system component. The sql-injection vulnerability allows remote attackers to inject own sql commands to compromise the database management system or web-application. The sql-injection vulnerabilities are located in the `advertiser_status` and `status_select` parameters of the `com_adagency` component module. Remote attackers are able to perform malicious GET method request to execute sql command via vulnerable parameters. Remote attackers can trigger the issue depending on the access privileges with a restricted or unauthenticated user account. The vulnerability is a classic remote select sql injection vulnerability in the `com_adagency` component module. The security risk of the sql-injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1. Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] com_adagency Vulnerable File(s): [+] index.php Vulnerable Parameter(s): [+] advertiser_status [+] status_select Proof of Concept: ================= The remote sql-injection web vulnerabilities can be exploited by remote attackers with privileged web-application user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Payload Exploitatation (status_select & advertiser_status) http://joomla.localhost:8080/index.php?option=com_adagency&controller=adagencyAdvertisers&advertiser_status=-1%27Y[SQL-INJECTION VULNERABILITY!]-- http://joomla.localhost:8080/index.php?option=com_adagency&controller=adagencyAds&status_select=Y-1%27[SQL-INJECTION VULNERABILITY!]**&camp_id=3 PoC: Exploit SQL-Injection PoC (status_select & advertiser_status)