Yesterday after I finally finished Jomlash module I decide to check the latest com_virtuemart component. The version I tried was 3.0.14. As far as I know, “the latest” one …
… (for the day of writing this text: 20.08.2016).
First of all before we will start, we need to check (or change) one setting in our php.ini. It is display_errors, we need it set to On:
For testing purpose we will use LAMP on VirtualBox , Burp Suite and some "blackbox methodology".
Below you will find few results - SQL injection bugs:
- parameter virtuemart_paymentmethod_id:
Below “response” – when you will try this request as sqlmap’s input file (-r request.txt):
Looking for the code in component’s source:
root@ihaiha:/var/www/joomla2# grep -rn -e virtuemart_paymentmethod_id ./ --color | grep SELECT --color
$q = 'SELECT `virtuemart_paymentmethod_id` FROM #__virtuemart_paymentmethods WHERE `payment_jplugin_id` = "'.$jpluginId.'" AND `virtuemart_vendor_id` = "'.$vendorId.'" ';
$q = 'SELECT `virtuemart_shoppergroup_id` FROM #__virtuemart_paymentmethod_shoppergroups WHERE `virtuemart_paymentmethod_id` = "'.$this->_id.'"';
$q = 'SELECT `virtuemart_shoppergroup_id` FROM #__virtuemart_paymentmethod_shoppergroups WHERE `virtuemart_paymentmethod_id` = "'.$data->virtuemart_paymentmethod_id.'"';
And some more source code…
So I was wondering if this is exploitable. Below you will find some results:
Code of this module is available on my github.
- parameter virtuemart_shipmentmethod_id:
Request where I found it:
I found few other interesting places to check and analyze. You can find them by searching SELECT string and parameter used in SQL query, for example:
During source code review I found that sometimes parameters are “validated” by escape() function (you can find it starting from line 132 in /components/com_virtuemart/helpers/vmview.php file):
Ok, sure. Against XSS maybe, but it will not protect you against SQL injection attacks.
Proof of concept code you will find here. Of course if you already have an admin’s credentials, you can do much more.