joomla!3.7.0 Core SQL Injection Vulnerability Dynamic Debug draft

Source: Internet
Author: User

From this page, start the breakpoint: joomla_3.7.0/components/com_fields/controller.php

Calling the parent class's constructor method

Continue with:/applications/mamp/htdocs/joomla_3.7.0/libraries/legacy/controller/legacy.php

-------Split Line-------

Follow-up function, located in/joomla_3.7.0/libraries/legacy/model/legacy.php

The first get () function is called here $this->state = $this->get (' state ');

Follow-up later constructs a module that is getState ($property = null, $default = null) function

$this->populatestate ();

Meet this to follow up

Located in/joomla_3.7.0/administrator/components/com_fields/models/fields.php p73-89

protected function populatestate ($ordering = null, $direction = NULL)

You can see that there is a call to the parent class Populatestate method, we follow up to the parent class
Parent::p opulatestate (' a.ordering ', ' ASC ');
Continue to follow up

Located in/joomla_3.7.0/libraries/legacy/model/list.php

Follow up the getuserstatefromrequest () function

/applications/mamp/htdocs/joomla_3.7.0/libraries/cms/application/cms.php

Here $request =list $key =com_fields.fields continue to follow $cur_state = $this->getuserstate ($key, $default);

The $key here is equal to com_fields.fields.list.

After a series of for loops

The value of the $cur _state becomes the injected payload.

Returns the value of the $list

On/applications/mamp/htdocs/joomla_3.7.0/libraries/legacy/model/list.php 第495-570 Line

Line No. 566:

Follow SetState function

The value of list.fullordering is set at this time.

Then look at the second $this->items = $this->get (' items ');

Walk the Get function, execute the GetItems ()

Follow up GetItems () in/joomla_3.7.0/libraries/legacy/model/list.php 第172-186 line

You can see that the _getlistquery () function is executed in the same directory.

Then execute the getlistquery () function, located on the/joomla_3.7.0/administrator/components/com_fields/models/fields.php 第124-328 line

Execute To Line 305

Take the value of list.fullordering, we are in front $this->state = $this->get (' state '); Operation, $this->state = $this->get (' state ') has been set, and the value of the SQL statement has been established.

Assign a value to $listordering, and then enter the order query.

And so it was injected.

Postscript. Vaguely follow the function to see the majority of days of reference articles, only written, for Joolma this big program, function so much still easy to make confused, finally through pointing, with phpstorm see call stack there is process, and then slowly back, only this article.

Reference: http://bobao.360.cn/learning/detail/3870.html

Poc:index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml (0x3a, Concat (1, (SELECT%20MD5 (1))), 1)

joomla!3.7.0 Core SQL Injection Vulnerability Dynamic Debug draft

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.