JSTicket 1.1.5 SQL Injection

    JSTicket : "Joomla Most Comprehensive & Easiest help desk Plugin"  "JS Support Ticket deeply integrated with Joomla and providing more efficient and professional 1-on-1 dedicated ticket support system to its customers."  

    Essentially, a help desk plugin with a SQL Injection vulnerability. 

    Without logging into the application, we can access the dashboard:

    I didn't see a way of identifying the version at first glance.


    In the POC, we grab the URL and we add a tick to the end:

    Nothing blind about that.  We grab the post from Burp:

    We take that over to SQLmap:

    After some time:

    We find an injection and it retrieves the database names:

    Since Joomla randomizes table names, we need to dig a little deeper with SQLMap:

    After some time, we retrieve the users table name:

    Now we're headed for the hashes:

    After some time:

    We discover there's only one user and we take the hash over to Hashcat:

    Hashcat does not disappoint and now we're headed for the login page:

    Using our newly acquired credentials:


    Version 1.1.6 was released a few days ago and after updating, I attempted to inject on that same location:

    Not surprising, it didn't work.  

    © 2020 sevenlayers.com