cbcvebase.
CVE-2015-7857
published 2015-10-29

CVE-2015-7857: SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows…

PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
93.90%
99.8th percentile
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.

Affected

15 ranges
VendorProductVersion rangeFixed in
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=<SQL>
pathadministrator/components/com_contenthistory/models/history.php
commandlist[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
  • Detect GET requests to index.php containing all three URI parameters: option=com_contenthistory, view=history, and list[select]= — the presence of list[select]= is the key injection vector.
  • After session hijacking via SQLi, the attacker authenticates to /administrator/index.php and creates a new PHP file under a Joomla template directory for RCE — monitor for POST requests to administrator/index.php with task=template.createFile and task=template.apply.
  • The SQLi payload uses a GROUP BY error-based technique with floor(rand(0)*2) and information_schema.tables — detect this pattern in URI query strings.
  • ·The SQLi only retrieves Super User sessions where a valid username and userid exist (i.e., an admin must be actively logged in at the time of exploitation); the exploit will fail if no admin session is present.
  • ·Affected versions are Joomla 3.2 through 3.4.4 only; version 3.4.5 contains the fix.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.