cbcvebase.
CVE-2018-17254
published 2018-09-20

CVE-2018-17254: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
82.98%
99.6th percentile
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
arkextensionsjck_editor

Detection & IOCsextracted from sources · hover to see the quote

path/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php
url/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa
commandGET /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),md5({{num}})),NULL,NULL,NULL,NULL,NULL--%20aa HTTP/1.1
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php"; nocase; content:"extension=menu"; distance:0; content:"view=menu"; nocase; content:"parent="; nocase; pcre:"/parent=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ui"; reference:url,www.exploit-db.com/exploits/49627; reference:cve,2018-17254; classtype:attempted-admin; sid:2033604; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, cve CVE_2018_17254, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
  • Google dork can be used to identify exposed vulnerable endpoints on the internet
  • Exploit checks for successful injection by injecting hex-encoded string 0x6861636b6564 ('hacked') and verifying the base64-encoded response equals 'aGFja2Vk'
  • RCE shell upload attempts write a randomly-named .php file to common web roots via SQL INTO OUTFILE; detect unexpected .php file creation under web root paths
  • Nuclei template detection: match md5 hash of a known numeric value in HTTP response body to confirm blind UNION-based SQLi success
  • ET EXPLOIT Snort SID 2033604 fires on GET requests to the vulnerable path with SQL keywords in the parent parameter; deploy at perimeter
  • ·The RCE via INTO OUTFILE will likely fail unless the MySQL user has FILE privilege and the web root is writable; the exploit itself notes this

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.