cbcvebase.
CVE-2015-7858
published 2015-10-29

CVE-2015-7858: SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different…

PriorityP279high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
84.76%
99.7th percentile
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.

Affected

15 ranges
VendorProductVersion rangeFixed in
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=<SQLi>
commandGET /index.php?option=com_contenthistory&view=history&list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM <prefix>session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
path/administrator/index.php?option=com_templates&view=templates
path/administrator/index.php?option=com_templates&task=template.createFile
  • The SQLi is triggered via a GET request to index.php with parameters option=com_contenthistory, view=history, and a malicious list[select] parameter. Monitor HTTP GET requests containing 'list[select]=' in the URI targeting Joomla endpoints.
  • The exploit retrieves active Super User session cookies by injecting into the list[select] parameter; look for error responses (HTTP 500) containing 'Duplicate entry' followed by a session ID string, indicating successful SQLi data extraction.
  • The exploit checks for a vulnerable table prefix by triggering a 500 error response whose body matches the pattern `<prefix>_ucm_history`. Monitor for HTTP 500 responses from Joomla containing '_ucm_history' in the body.
  • Post-SQLi, the attacker authenticates to /administrator/index.php using the hijacked session cookie and then creates a new PHP template file via com_templates for RCE. Monitor for authenticated POST requests to com_templates with task=template.createFile or task=template.apply from unexpected sources.
  • The SQL injection payload uses a GROUP BY error-based technique with floor(rand(0)*2) and information_schema.tables. Detect this pattern in WAF/IDS logs on the list[select] parameter.
  • ·The vulnerability affects Joomla versions 3.2 through 3.4.4 only; version 3.4.5 contains the fix. The SQLi is in the Content History administrator component (com_contenthistory).
  • ·The SQLi only retrieves Super User sessions where a valid username and userid are present (i.e., the admin must be actively logged in at the time of exploitation). Exploitation requires a live admin session.
  • ·The ET Snort rule (sid:2021992) uses a PCRE that covers common SQL keywords but may not catch all obfuscated variants; complement with WAF rules for broader coverage.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.