Joomla 3.x SQL Injection Vulnerability Analysis

Joomla 3.x SQL Injection Vulnerability Analysis

Joomla is a Content Management System (CMS) that has won many awards. It adopts PHP + MySQL database development, it can run on Linux, Windows, MacOSX, Solaris, and other platforms. In addition to some basic functions such as news/Article management, document/image management, website layout settings, and template/topic management, you can use thousands of plug-ins to Expand functions. It also supports multiple languages. Because of its powerful functions and strong language support, it is widely used in the world.

I. Vulnerability Analysis

The Code triggered by the vulnerability is in the/administrator/components/com_contenthistory/models/history. php and getListQuery () functions:

 

Through SQL and error message, we can know that our injection payload is inserted into the red box. Follow up the getState () function, which is located in the ibraries/legacy/model/legacy. php file. The Code is as follows:

 

From the function parameters and official comments, we can know that the getState () function is used to obtain the values of a model attribute and its corresponding values. When the getState () function is not set in the model attribute, $ this-> populateState () is executed to assign values to some attributes of the model.

Follow up the populateState () function to see what operations are performed. The code is located in/administrator/components/com_contenthistory/models/history. php:

 

This function extracts item_id, type_id, type_alias from user input and assigns values to the attributes of the current model. All controllable variables are of the integer type and cannot be used. Run the last line of code: parent: populateState ('H. save_date ', 'desc'), continue with the definition of the populateState () function of the parent class in the parent class. The code is located in libraries/legacy/model/list. php, near line 1:

 

The getUserStateFromRequest () function is used to return the list [] variable in GET/POST to $ list, specify the variable type as array () in the third parameter, and continue to follow up:

 

The Code traverses the obtained list [] array and filters and splits the array accordingly. It can be seen that list [select] does not have the processing logic and enters the default case, subsequent $ this-> setState ('list. '. $ name, $ value) after the code is executed, the list [select] variable in the request is not directly assigned to the Model attribute. Continue to look back at the initial injection position of the article, now we can control $ this-> getState ('list. select ') to construct SQL injection.

Confirm the controllable input location and construct an effective payload. Several small problems need to be solved. Construct POC: index. php? Option = com_contenthistory & view = history & item_id = 1 & type_id = 1 & list [select] = (exp (~ (Select * from (select md5 (1) x )))

The following error message is displayed: Unknown column 'array ':

 

You need to add list [ordering] = to clear the order by field value in the original SQL statement.

Finally, the POC can be executed:

/Index. php? Option = com_contenthistory & view = history & item_id = 1 & list [ordering] = & type_id = 1 & list [select] = (exp (~ (Select * from (select md5 (1) x )))

The execution will return:

 

The precondition for the successful POC execution is that the imported item_id can be queried in the Joomla_ucm_history table. Otherwise, the message "500-Layout default not found." is returned. According to the original description, You Can brute force guess item_id or use time_based payload.

Ii. Vulnerability impact

Joomla3.2-3.4.4

Iii. Final Plan

Currently, Joomla has been officially updated with version 3.4.5. you can log on to the background to update the version.

Or download the official upgrade package ,:

Https://github.com/joomla/joomla-cms/releases