JSTicket : "Joomla Most Comprehensive & Easiest help desk Plugin"  "JS Support Ticket deeply integrated with Joomla and providing more efficient and professional 1-on-1 dedicated ticket support system to its customers."  

Essentially, a help desk plugin with a SQL Injection vulnerability. 

Without logging into the application, we can access the dashboard:





I didn't see a way of identifying the version at first glance.

Exploit-DB:




In the POC, we grab the URL and we add a tick to the end:





Nothing blind about that.  We grab the post from Burp:





We take that over to SQLmap:





After some time:





We find an injection and it retrieves the database names:





Since Joomla randomizes table names, we need to dig a little deeper with SQLMap:





After some time, we retrieve the users table name:





Now we're headed for the hashes:





After some time:





We discover there's only one user and we take the hash over to Hashcat:





Hashcat does not disappoint and now we're headed for the login page:





Using our newly acquired credentials:





#gameover

Version 1.1.6 was released a few days ago and after updating, I attempted to inject on that same location:





Not surprising, it didn't work.