Joomla CMS 3.2-3.4.4 SQL injection vulnerability analysis-vulnerability warning-the black bar safety net

2015-10-27T00:00:00
ID MYHACK58:62201568354
Type myhack58
Reporter 佚名
Modified 2015-10-27T00:00:00

Description

Yesterday, the Joomla CMS released a new version 3. 4. 5, This version fixes a high-riskSQL injectionvulnerabilities, 3. 2 to 3. 4. 4 versions are affected. The attacker via the exploit you can get a direct access to the database of sensitive information, and can even get logged in the administrator session directly into the website background.

0x01 principle analysis

The Joomla CMS has a view history edit version of the component(com_contenthistory), the function should be accessible only to administrators, but due to developer neglect, lead to the function of the access does not need the appropriate permissions. By accessing /index. php? option=com_contenthistory may be such that the service end of the loading history processing component. 程序 流程 会 转 到 /components/com_contenthistory/contenthistory.php file:

! php

<? php defined('_JEXEC') or die;

$lang = JFactory::getLanguage(); $lang->load('com_contenthistory', JPATH_ADMINISTRATOR, null, false, true) || $lang->load('com_contenthistory', JPATH_SITE, null, false, true);

require_once JPATH_COMPONENT_ADMINISTRATOR . '/contenthistory.php';

You can see the component when loaded and not be related to permissions, monitoring, and Joomla, in General, the background of the call component ( /administrator/components/ component) will be the component corresponding to the permissions to check, such as background in the com_contact component

! php

if (! JFactory::getUser()->authorise('core. manage', 'com_contact')) { return JError::raiseWarning(4 0 4, JText::_('JERROR_ALERTNOAUTHOR')); }

However, the program in the processing contenthistory component, and without performing a permission check, the program is initialized and set component-related configuration, 包含文件/administrator/components/com_contenthistory/contenthistory.php its contents are as follows:

! php

<? php defined('_JEXEC') or die;

$controller = JControllerLegacy::getInstance('Contenthistory', array('base_path' => JPATH_COMPONENT_ADMINISTRATOR)); $controller->execute(JFactory::getApplication()->input->get('task')); $controller->redirect();

The program is initialized based on the contenthistory component of the control class JControllerLegacy, and then directly call the control class's execute() method in the execute() method, it will call its control class in display (), the code is located in /libraries/legacy/controller/legacy.php to:

! php

public function display($cachable = false, $urlparams = array()) { $document = JFactory::getDocument(); $viewType = $document->getType(); $viewName = $this->input->get('view', $this->default_view); $viewLayout = $this->input->get('layout', 'default', 'string'); $view = $this->getView($viewName, $viewType, ", array('base_path' => $this->basePath, 'layout' => $viewLayout)); // Get/Create the model if ($model = $this->getModel($viewName)) { // Push the model into the view (as default) $view->setModel($model, true); } (...Omitted...) if ($cachable && $viewType != 'feed' && $conf->get('caching') >= 1) { (...Omitted...) } else { $view->display(); } return $this; }

Processing program from transfer of the parameters to obtain the view and layout of the parameter values to initialize the view, and call $model = $this->getModel($viewName) to load the corresponding data model, and eventually calls the$view->display() function to view processing.

Joomla new version 3.4.5 fixesSQL injectionvulnerability relates to the historical view of the operation, that is view=history when the program processing will lead to the injection. In the procedures for data extraction, 会进入/administrator/components/com_contenthistory/models/history.php file in the getListQuery() function:

! php

protected function getListQuery() { // Create a new query object. $db = $this->getDbo(); $query = $db->getQuery(true); // Select the required fields from the table. $query->select( $this->getState( 'list. select', 'h. version_id, h. ucm_item_id, h. ucm_type_id, h. version_note, h. save_date, h. editor_user_id,' . 'h. character_count, h. sha1_hash, h. version_data, h. keep_forever' ) ) ->from($db->quoteName('#ucm_history') . 'AS h') ->where($db->quoteName('h. ucm_item_id') . '= ' . $this->getState('item_id')) ->where($db->quoteName('h. ucm_type_id') . '= ' . $this->getState('type_id')) // Join over the users for the editor ->select('uc. name AS editor') ->join('LEFT', '#users AS uc ON uc. id = h. editor_user_id'); // Add the list ordering clause. $orderCol = $this->state->get('list. ordering'); $orderDirn = $this->state->get('list. direction'); $query->order($db->quoteName($orderCol) . $orderDirn); return $query; }

Note that the following SQL statement configuration section:

! php

$query->select( $this->getState( 'list. select', 'h. version_id, h. ucm_item_id, h. ucm_type_id, h. version_note, h. save_date, h. editor_user_id,' . 'h. character_count, h. sha1_hash, h. version_data, h. keep_forever' ) ) ->from($db->quoteName('#__ucm_history') . 'AS h') ->where($db->quoteName('h. ucm_item_id') . '= ' . $this->getState('item_id')) ->where($db->quoteName('h. ucm_type_id') . '= ' . $this->getState('type_id'))

[1] [2] next