CVE-2015-7857
published 2015-10-29CVE-2015-7857: SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows…
PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
93.90%
99.8th percentile
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlindex.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=<SQL>↗
commandlist[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)↗
- →Detect GET requests to index.php containing all three URI parameters: option=com_contenthistory, view=history, and list[select]= — the presence of list[select]= is the key injection vector.
- →After session hijacking via SQLi, the attacker authenticates to /administrator/index.php and creates a new PHP file under a Joomla template directory for RCE — monitor for POST requests to administrator/index.php with task=template.createFile and task=template.apply. ↗
- →The SQLi payload uses a GROUP BY error-based technique with floor(rand(0)*2) and information_schema.tables — detect this pattern in URI query strings. ↗
- ·The SQLi only retrieves Super User sessions where a valid username and userid exist (i.e., an admin must be actively logged in at the time of exploitation); the exploit will fail if no admin session is present. ↗
- ·Affected versions are Joomla 3.2 through 3.4.4 only; version 3.4.5 contains the fix. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
suricata·2015-10-22·CVSS 7.5
CVE-2015-7297 [HIGH] ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"option="; nocase; content:"view="; nocase; content:"list[select]="; nocase; fast_pattern; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/i"; http.header_names; to_lowercase; content:!"|0d 0a|refere
Exploit-DB
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
exploitdb·2015-11-23
CVE-2015-7858 Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Joomla Content History SQLi Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection vulnerability found in Joomla versions
3.2 up to 3.4.4. The vulnerability exists in the Content History administrator
component in the core of Joomla. Triggering the SQL injection makes it possible
to retrieve active Super User sessions. The cookie can be used to login to the
Joomla administrator backend. By creating a new template file containing our
payload, remote code execution is made possible.
},
'License
Metasploit
Joomla Content History SQLi Remote Code Execution
metasploit
Joomla Content History SQLi Remote Code Execution
Joomla Content History SQLi Remote Code Execution
This module exploits a SQL injection vulnerability found in Joomla versions 3.2 up to 3.4.4. The vulnerability exists in the Content History administrator component in the core of Joomla. Triggering the SQL injection makes it possible to retrieve active Super User sessions. The cookie can be used to login to the Joomla administrator backend. By creating a new template file containing our payload, remote code execution is made possible.
Qualys
Protect Against the Joomla SQL Injection Vulnerability | Qualys
blogs_qualys·2015-10-28·CVSS 7.5
[HIGH] Protect Against the Joomla SQL Injection Vulnerability | Qualys
A few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla , one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.
Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.
Vulnerabilities discovered by Orpani are:
CVE-2015-7297
CVE-2015-7857
CVE-2015-7858
Like WordPress did when its market-leading CMS was exposed to multiple vulnerabilities , Joomla has reacted by publishing a quick Security Fix version 3.4.5 , which we encourage you to apply immediately.
What that story doesn’t tell is
Qualys
Protect Against the Joomla SQL Injection Vulnerability | Qualys
blogs_qualys·2015-10-28·CVSS 7.5
[HIGH] Protect Against the Joomla SQL Injection Vulnerability | Qualys
A few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla, one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.
Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.
Vulnerabilities discovered by Orpani are:
- CVE-2015-7297
- CVE-2015-7857
- CVE-2015-7858
Like WordPress did when its market-leading CMS was exposed to multiple vulnerabilities, Joomla has reacted by publishing a quick Security Fix version 3.4.5, which we encourage you to apply immediately.
What that story doesn’t tell is
http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.htmlhttp://packetstormsecurity.com/files/134097/Joomla-3.44-SQL-Injection.htmlhttp://packetstormsecurity.com/files/134494/Joomla-Content-History-SQL-Injection-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/unix/webapp/joomla_contenthistory_sqli_rcehttp://www.securityfocus.com/bid/77295http://www.securitytracker.com/id/1033950https://www.exploit-db.com/exploits/38797/https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.htmlhttp://packetstormsecurity.com/files/134097/Joomla-3.44-SQL-Injection.htmlhttp://packetstormsecurity.com/files/134494/Joomla-Content-History-SQL-Injection-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/unix/webapp/joomla_contenthistory_sqli_rcehttp://www.securityfocus.com/bid/77295http://www.securitytracker.com/id/1033950https://www.exploit-db.com/exploits/38797/https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/
2015-10-29
Published