JSTicket 1.1.5 SQL Injection

    JSTicket : "Joomla Most Comprehensive & Easiest help desk Plugin"  "JS Support Ticket deeply integrated with Joomla and providing more efficient and professional 1-on-1 dedicated ticket support system to its customers."  

    Essentially, a help desk plugin with a SQL Injection vulnerability. 

    Without logging into the application, we can access the dashboard:





    I didn't see a way of identifying the version at first glance.

    Exploit-DB:




    In the POC, we grab the URL and we add a tick to the end:





    Nothing blind about that.  We grab the post from Burp:





    We take that over to SQLmap:





    After some time:





    We find an injection and it retrieves the database names:





    Since Joomla randomizes table names, we need to dig a little deeper with SQLMap:





    After some time, we retrieve the users table name:





    Now we're headed for the hashes:





    After some time:





    We discover there's only one user and we take the hash over to Hashcat:





    Hashcat does not disappoint and now we're headed for the login page:





    Using our newly acquired credentials:





    #gameover

    Version 1.1.6 was released a few days ago and after updating, I attempted to inject on that same location:





    Not surprising, it didn't work.  


    © 2020 sevenlayers.com