joomla!3.7.0 Core SQL Injection Vulnerability Dynamic Debug draft

From this page, start the breakpoint: joomla_3.7.0/components/com_fields/controller.php

Calling the parent class's constructor method

Continue with:/applications/mamp/htdocs/joomla_3.7.0/libraries/legacy/controller/legacy.php

-------Split Line-------

Follow-up function, located in/joomla_3.7.0/libraries/legacy/model/legacy.php

The first get () function is called here $this->state = $this->get (' state ');

Follow-up later constructs a module that is getState ($property = null, $default = null) function

$this->populatestate ();

Meet this to follow up

Located in/joomla_3.7.0/administrator/components/com_fields/models/fields.php p73-89

protected function populatestate ($ordering = null, $direction = NULL)

You can see that there is a call to the parent class Populatestate method, we follow up to the parent class

Parent::p opulatestate (' a.ordering ', ' ASC ');
Continue to follow up

Located in/joomla_3.7.0/libraries/legacy/model/list.php

Follow up the getuserstatefromrequest () function

/applications/mamp/htdocs/joomla_3.7.0/libraries/cms/application/cms.php

Here $request =list $key =com_fields.fields continue to follow $cur_state = $this->getuserstate ($key, $default);

The $key here is equal to com_fields.fields.list.

After a series of for loops

The value of the $cur _state becomes the injected payload.

Returns the value of the $list

On/applications/mamp/htdocs/joomla_3.7.0/libraries/legacy/model/list.php 第495-570 Line

Line No. 566:

Follow SetState function

The value of list.fullordering is set at this time.

Then look at the second $this->items = $this->get (' items ');

Walk the Get function, execute the GetItems ()

Follow up GetItems () in/joomla_3.7.0/libraries/legacy/model/list.php 第172-186 line

You can see that the _getlistquery () function is executed in the same directory.

Then execute the getlistquery () function, located on the/joomla_3.7.0/administrator/components/com_fields/models/fields.php 第124-328 line

Execute To Line 305

Take the value of list.fullordering, we are in front $this->state = $this->get (' state '); Operation, $this->state = $this->get (' state ') has been set, and the value of the SQL statement has been established.

Assign a value to $listordering, and then enter the order query.

And so it was injected.

Postscript. Vaguely follow the function to see the majority of days of reference articles, only written, for Joolma this big program, function so much still easy to make confused, finally through pointing, with phpstorm see call stack there is process, and then slowly back, only this article.

Reference: http://bobao.360.cn/learning/detail/3870.html

Poc:index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml (0x3a, Concat (1, (SELECT%20MD5 (1))), 1)

joomla!3.7.0 Core SQL Injection Vulnerability Dynamic Debug draft