Tuesday, August 2, 2016

Joomla SQL Injection Walk-Through

I saw this pastebin post with a joomla sql injection exploit perl script that I thought was interesting enough to write a bit about.

Upon reviewing the code I see that the exploit constructs a url such as


This appears to exploit a Joomla com_jumi parameter called 'Itemid' that must not properly sanitize user input and thus allows for sql commands to be injected and executed against the database.

It's likely that behind the scenes the Joomla developers are performing a query on the database such as

   select |24 fields| from |itemtable| where Itemid = HttpRequest["ItemId"]

But since they aren't sanitizing the ItemId parameter an attacker can enter a value such below (notice the + signs above are simply a way to encode spaces in a URL so I've removed them). Also notice that /**/ is just an empty comment and does nothing except obfuscate so it can safely be removed for analysis. Also notice that 0x3a is the hex equivalent of the single colon character (:) so I've replaced it also for simplicity.

   ItemId=117 UNION SELECT 1,concat(username,':',password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from jos_users --

So you see above that we first pass in an actual item id (117) so that the query returns at least a single record. Next there is a "union select" which means weren't going to union or concatenate or join the results of the SQL query defined by the developer with a SQL query we are going to define. Now in order to union or combine 2 SQL queries the number of columns must match, thus the reason you see 24 columns (23 of them are integer values that the system would automatically cast/convert into string if needed). The attacker must know that column #2 is the one that the website displays on the screen in the html response, thus they choose to display their exfiltrated data in column #2. What they display is the username and password concatenated together from the jos_users table. It is likely the case that the 1st record in this table is the Joomla administrator, thus if this attack is successful, the administrative username and password will be displayed out to the browser.

To prevent this as a Sys Admin of a Joomla site, upgrade and patch as soon as patches are available. If you see active exploits, implement an IPS (intrusion prevention system) that allows you to block malicious looking requests like this.

To prevent this as a web developer, use strongly typed parameterized SQL queries so that an Integer (like ItemId) cannot be converted into a string. Also utilize a standard Security library that sanitized or encodes malicious looking characters like the +,/,*, or -

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment