cbcvebase.
CVE-2017-8917
published 2017-05-17

CVE-2017-8917: SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.

PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
99.83%
100.0th percentile
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
joomlajoomla_!

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
commandsqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
url{{BaseURL}}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5({{num}})),1)
path/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)"; flow:established,to_server; http.uri; content:".php?"; content:"option="; content:"view="; content:"layout="; content:"&list[fullordering]="; fast_pattern; pcre:"/&list\[fullordering\]=(?:[a-zA-Z0-9])*[\x22\x27\x28]/i"; reference:url,blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html; reference:cve,2017-8917; classtype:web-application-attack; sid:2024342; rev:6; metadata:affected_product Joomla, attack_target Web_Server, created_at 2017_06_01, cve CVE_2017_8917, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2024_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • The vulnerable parameter is `list[fullordering]` in a GET request to `/index.php` with `option=com_fields`, `view=fields`, and `layout=modal`. Detection should focus on anomalous values in this parameter (quotes, parentheses, SQL keywords).
  • The Metasploit module exploits the SQLi to extract an active administrator session cookie from the `_session` table (userid!=0), then hijacks it to authenticate as admin and write a PHP webshell via the template editor. Monitor for unexpected PHP file creation in Joomla template directories following a 500-response on the com_fields endpoint.
  • Error-based SQLi payloads using UPDATEXML and CONCAT are characteristic of this exploit. A HTTP 500 response containing garbled XML error output with embedded data is a strong indicator of successful exploitation.
  • Time-based blind SQLi using SLEEP() in the `list[fullordering]` parameter can be detected by monitoring for abnormally delayed HTTP responses (e.g., 5+ seconds) on the com_fields endpoint.
  • Nuclei template detection: match the MD5 hash of a known numeric value reflected in the HTTP response body after injecting `updatexml(0x23,concat(1,md5(<num>)),1)` into `list[fullordering]`.
  • Shodan/FOFA queries can identify exposed Joomla instances for proactive asset discovery: `http.component:"Joomla"` or `body="joomla! - open source content management"`.
  • ·The vulnerability was introduced specifically in Joomla 3.7.0 with the new `com_fields` component and was fixed in 3.7.1. Only Joomla instances running exactly 3.7.0 are vulnerable; earlier versions do not have the com_fields component.
  • ·The Metasploit RCE chain requires an active logged-in Administrator or Super User session to exist in the database at the time of exploitation; if no admin is logged in, session hijacking will fail and RCE will not be achievable.
  • ·The SQLi is unauthenticated and exploitable without any prior login, making it accessible to any remote attacker with network access to the Joomla instance.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.