CVE-2015-7858
published 2015-10-29CVE-2015-7858: SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different…
PriorityP279high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
84.76%
99.7th percentile
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlindex.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=<SQLi>↗
commandGET /index.php?option=com_contenthistory&view=history&list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM <prefix>session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)↗
- →The SQLi is triggered via a GET request to index.php with parameters option=com_contenthistory, view=history, and a malicious list[select] parameter. Monitor HTTP GET requests containing 'list[select]=' in the URI targeting Joomla endpoints.
- →The exploit retrieves active Super User session cookies by injecting into the list[select] parameter; look for error responses (HTTP 500) containing 'Duplicate entry' followed by a session ID string, indicating successful SQLi data extraction. ↗
- →The exploit checks for a vulnerable table prefix by triggering a 500 error response whose body matches the pattern `<prefix>_ucm_history`. Monitor for HTTP 500 responses from Joomla containing '_ucm_history' in the body. ↗
- →Post-SQLi, the attacker authenticates to /administrator/index.php using the hijacked session cookie and then creates a new PHP template file via com_templates for RCE. Monitor for authenticated POST requests to com_templates with task=template.createFile or task=template.apply from unexpected sources. ↗
- →The SQL injection payload uses a GROUP BY error-based technique with floor(rand(0)*2) and information_schema.tables. Detect this pattern in WAF/IDS logs on the list[select] parameter. ↗
- ·The vulnerability affects Joomla versions 3.2 through 3.4.4 only; version 3.4.5 contains the fix. The SQLi is in the Content History administrator component (com_contenthistory). ↗
- ·The SQLi only retrieves Super User sessions where a valid username and userid are present (i.e., the admin must be actively logged in at the time of exploitation). Exploitation requires a live admin session. ↗
- ·The ET Snort rule (sid:2021992) uses a PCRE that covers common SQL keywords but may not catch all obfuscated variants; complement with WAF rules for broader coverage.
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-66q2-64c3-859x: SQL injection vulnerability in Joomla! 3
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2015-7858 [HIGH] CWE-89 GHSA-66q2-64c3-859x: SQL injection vulnerability in Joomla! 3
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
GHSA
GHSA-5j7c-6v58-rh4x: SQL injection vulnerability in Joomla! 3
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2015-7297 [HIGH] CWE-89 GHSA-5j7c-6v58-rh4x: SQL injection vulnerability in Joomla! 3
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
VulnCheck
Joomla! Joomla! Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2015·CVSS 7.5
CVE-2015-7858 [HIGH] Joomla! Joomla! Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Joomla! Joomla! Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
Affected: Joomla! Joomla!
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
Exploit PoC: https://vulncheck.com/xdb/9eabb1cd63ab
Suricata
ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
suricata·2015-10-22·CVSS 7.5
CVE-2015-7297 [HIGH] ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"option="; nocase; content:"view="; nocase; content:"list[select]="; nocase; fast_pattern; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/i"; http.header_names; to_lowercase; content:!"|0d 0a|refere
Exploit-DB
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
exploitdb·2015-11-23
CVE-2015-7858 Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Joomla Content History SQLi Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection vulnerability found in Joomla versions
3.2 up to 3.4.4. The vulnerability exists in the Content History administrator
component in the core of Joomla. Triggering the SQL injection makes it possible
to retrieve active Super User sessions. The cookie can be used to login to the
Joomla administrator backend. By creating a new template file containing our
payload, remote code execution is made possible.
},
'License
Metasploit
Joomla Content History SQLi Remote Code Execution
metasploit
Joomla Content History SQLi Remote Code Execution
Joomla Content History SQLi Remote Code Execution
This module exploits a SQL injection vulnerability found in Joomla versions 3.2 up to 3.4.4. The vulnerability exists in the Content History administrator component in the core of Joomla. Triggering the SQL injection makes it possible to retrieve active Super User sessions. The cookie can be used to login to the Joomla administrator backend. By creating a new template file containing our payload, remote code execution is made possible.
Qualys
Protect Against the Joomla SQL Injection Vulnerability | Qualys
blogs_qualys·2015-10-28·CVSS 7.5
[HIGH] Protect Against the Joomla SQL Injection Vulnerability | Qualys
A few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla , one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.
Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.
Vulnerabilities discovered by Orpani are:
CVE-2015-7297
CVE-2015-7857
CVE-2015-7858
Like WordPress did when its market-leading CMS was exposed to multiple vulnerabilities , Joomla has reacted by publishing a quick Security Fix version 3.4.5 , which we encourage you to apply immediately.
What that story doesn’t tell is
Qualys
Protect Against the Joomla SQL Injection Vulnerability | Qualys
blogs_qualys·2015-10-28·CVSS 7.5
[HIGH] Protect Against the Joomla SQL Injection Vulnerability | Qualys
A few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla, one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.
Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.
Vulnerabilities discovered by Orpani are:
- CVE-2015-7297
- CVE-2015-7857
- CVE-2015-7858
Like WordPress did when its market-leading CMS was exposed to multiple vulnerabilities, Joomla has reacted by publishing a quick Security Fix version 3.4.5, which we encourage you to apply immediately.
What that story doesn’t tell is
http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.htmlhttp://packetstormsecurity.com/files/134097/Joomla-3.44-SQL-Injection.htmlhttp://packetstormsecurity.com/files/134494/Joomla-Content-History-SQL-Injection-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/unix/webapp/joomla_contenthistory_sqli_rcehttp://www.securityfocus.com/bid/77295http://www.securitytracker.com/id/1033950https://www.exploit-db.com/exploits/38797/https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.htmlhttp://packetstormsecurity.com/files/134097/Joomla-3.44-SQL-Injection.htmlhttp://packetstormsecurity.com/files/134494/Joomla-Content-History-SQL-Injection-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/unix/webapp/joomla_contenthistory_sqli_rcehttp://www.securityfocus.com/bid/77295http://www.securitytracker.com/id/1033950https://www.exploit-db.com/exploits/38797/https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/
2015-10-29
Published
Exploited in the wild