JSTicket : "Joomla Most Comprehensive & Easiest help desk Plugin"  "JS Support Ticket deeply integrated with Joomla and providing more efficient and professional 1-on-1 dedicated ticket support system to its customers."  

Essentially, a help desk plugin with a SQL Injection vulnerability. 

Without logging into the application, we can access the dashboard:

I didn't see a way of identifying the version at first glance.


In the POC, we grab the URL and we add a tick to the end:

Nothing blind about that.  We grab the post from Burp:

We take that over to SQLmap:

After some time:

We find an injection and it retrieves the database names:

Since Joomla randomizes table names, we need to dig a little deeper with SQLMap:

After some time, we retrieve the users table name:

Now we're headed for the hashes:

After some time:

We discover there's only one user and we take the hash over to Hashcat:

Hashcat does not disappoint and now we're headed for the login page:

Using our newly acquired credentials:


Version 1.1.6 was released a few days ago and after updating, I attempted to inject on that same location:

Not surprising, it didn't work.