Joomla Payage 2.05 SQL Injection via aid Parameter
Description
Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Attackers can send GET requests to index.php with malicious aid values in the make_payment task to extract sensitive database information using boolean-based blind or time-based blind techniques.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing input sanitization on the `aid` GET parameter allows SQL injection."
Attack vector
An unauthenticated attacker sends a GET request to `index.php` with `option=com_payage`, `task=make_payment`, and a malicious `aid` parameter. The `aid` value is not sanitized before being used in a SQL query, allowing the attacker to inject boolean-based blind or time-based blind SQL payloads [ref_id=1]. By observing differences in response content or response delays (e.g., `SLEEP(5)`), the attacker can extract sensitive database information character by character.
What the fix does
The advisory does not include a patch or vendor fix. To remediate the vulnerability, the `aid` parameter must be validated (e.g., cast to an integer) or passed through a parameterized query to prevent SQL injection. Without such sanitization, the application remains vulnerable to the blind injection techniques demonstrated in the exploit [ref_id=1].
Preconditions
- configThe Joomla Payage 2.05 component must be installed and accessible via a web server.
- authNo authentication is required; the attack is performed over HTTP GET.
- networkThe attacker must be able to send HTTP requests to the vulnerable endpoint.
- inputThe attacker supplies a crafted `aid` parameter containing SQL injection payloads.
Reproduction
Send a GET request to `http://server/index.php?option=com_payage&task=make_payment&aid=1001'+AND+6552=6552+AND+'dCgx'='dCgx&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid=`. If the response is identical to a legitimate request, the boolean-based blind injection is confirmed. For time-based confirmation, use `aid=1001'+AND+(SELECT+*+FROM+(SELECT(SLEEP(5)))JBKV)+AND+'XFWL'='XFWL` and observe a 5-second delay [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/42113mitreexploit
- www.vulncheck.com/advisories/joomla-payage-sql-injection-via-aid-parametermitrethird-party-advisory
News mentions
0No linked articles in our index yet.