From this page, start the breakpoint: joomla_3.7.0/components/com_fields/controller.php
Calling the parent class's constructor method
Continue with:/applications/mamp/htdocs/joomla_3.7.0/libraries/legacy/controller/legacy.php
-------Split Line-------
Follow-up function, located in/joomla_3.7.0/libraries/legacy/model/legacy.php
The first get () function is called here $this->state = $this->get (' state ');
Follow-up later constructs a module that is getState ($property = null, $default = null) function
$this->populatestate ();
Meet this to follow up
Located in/joomla_3.7.0/administrator/components/com_fields/models/fields.php p73-89
protected function populatestate ($ordering = null, $direction = NULL)
You can see that there is a call to the parent class Populatestate method, we follow up to the parent class
Parent::p opulatestate (' a.ordering ', ' ASC ');
Continue to follow up
Located in/joomla_3.7.0/libraries/legacy/model/list.php
Follow up the getuserstatefromrequest () function
/applications/mamp/htdocs/joomla_3.7.0/libraries/cms/application/cms.php
Here $request =list $key =com_fields.fields continue to follow $cur_state = $this->getuserstate ($key, $default);
The $key here is equal to com_fields.fields.list.
After a series of for loops
The value of the $cur _state becomes the injected payload.
Returns the value of the $list
On/applications/mamp/htdocs/joomla_3.7.0/libraries/legacy/model/list.php 第495-570 Line
Line No. 566:
Follow SetState function
The value of list.fullordering is set at this time.
Then look at the second $this->items = $this->get (' items ');
Walk the Get function, execute the GetItems ()
Follow up GetItems () in/joomla_3.7.0/libraries/legacy/model/list.php 第172-186 line
You can see that the _getlistquery () function is executed in the same directory.
Then execute the getlistquery () function, located on the/joomla_3.7.0/administrator/components/com_fields/models/fields.php 第124-328 line
Execute To Line 305
Take the value of list.fullordering, we are in front $this->state = $this->get (' state '); Operation, $this->state = $this->get (' state ') has been set, and the value of the SQL statement has been established.
Assign a value to $listordering, and then enter the order query.
And so it was injected.
Postscript. Vaguely follow the function to see the majority of days of reference articles, only written, for Joolma this big program, function so much still easy to make confused, finally through pointing, with phpstorm see call stack there is process, and then slowly back, only this article.
Reference: http://bobao.360.cn/learning/detail/3870.html
Poc:index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml (0x3a, Concat (1, (SELECT%20MD5 (1))), 1)
joomla!3.7.0 Core SQL Injection Vulnerability Dynamic Debug draft