Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access
Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.
CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.
CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session.
Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks :
- The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
- Because the vulnerability is found in a core module that doesn’t require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
- Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.
Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5. Version 3.4.5 is dedicated to fixing this security issue and expected to be released Thursday, October 22 at approximately 14:00 UTC.
Notes For Trustwave Customers and ModSecurity Users :
- Trustwave WAF’s “Blind SQL Injection” rule detects this attack provided the rule is enabled. A dedicated, fine-tuned rule will be issued in an upcoming signature update (CorSigs 4.39).
- If it’s enabled, ModSecurity Commercial Rule Set rule 95007 blocks attempts to exploit this vulnerability. For Commercial Rule Set customers, a virtual patch will also be issued soon.
Technical Overview :
We discovered that the following code in /administrator /components /com_contenthistory/ models/history.php is vulnerable to SQL injection :
Several other code elements of Joomla contribute to the exploitation of this vulnerability. They are described in our detailed analysis. The following request is the final blow, as it returns the first active session key from the session table, found in the website database (considering the database Joomla tables name prefix are ‘jml_’) :
Executing this request on the Joomla site returns the following page :
Bingo! We’ve extracted the session ID from the database (we explain how below in our detailed analysis). By pasting the session ID we’ve extracted—that of an administrator in this case—to the cookie section in the request to access the /administrator/ folder, we’re granted administrator privileges and access to the administrator Control Panel :
The Road to the Joomla Admin Panel
Joomla is written in PHP and uses object-oriented programming (OOP) techniques and software design patterns. It stores data in a MySQL, MS SQL, or PostgreSQL database. Joomla’s features include page caching, RSS feeds, printable versions of pages, news flashes, blogs, search and support for language internationalization. Joomla is also used for e-commerce via a popular shopping cart template. Virtuemart.com is an e-commerce solution built on Joomla. Because the vulnerability is located in Joomla’s core module, e-commerce sites using VirtueMart are also vulnerable to exploit.
The code vulnerable to SQL injection is found in /administrator/components/com_
ContenthistoryModelHistory rep
The class ContenthistoryModelHistory inherits from JModelList, which is the parent class for all types of models that handle lists of items. Components will usually use different models to serve the specific functioning of the component within the application. This specific one states what it does in its declaration below :
To start, I found this piece of code “requiring” a PHP file that contains the content history module controller. The code was located in the administrator folder and, surprisingly, accessible by guests of the website. To execute this code, an attacker only needs to send a request with a parameter stating ‘contenthistory’ as the component he wants to access.
In other words, as a guest I can access this even though it requires a file from JPATH_COMPONENT_ADMINISTRATOR, obviously an item in the admin folder. Any access to the ‘admin zone’ will always draw a hacker’s attention.
In the contenthistory.php file found in the admin components folders, we can see that once contenthistory loads, a controller for the content history module is created allowing us to generate the view we want to see :
In the first line the code gets an instance of the content history module controller, and then on the second line it calls a function of the controller called execute and a parameter. The execute function leads us closer to our vulnerable model.
Below you see the execute function’s code :
Remember the parameter task that was passed as an argument to the execute function? Well, if you don’t pass any value, the default value is display. That code shows us that the function display is being called in the controller.
And here’s that function :
In the display function I find a getModel function. Digging further into this function makes me realize that a model is created there according to user-supplied parameters. As you can see at the beginning of the display function, the view Name parameter, which is passed to the getModel function, is coming from user input.
So after supplying the component(‘option’) and view parameters in the URL as described in the POC, we’ve got our hands on the vulnerable model. Since there was arequire_once call to the admins folder where the model is found, it’s easy to guide Joomla in creating the desired model, and that model has now been setModel-ed into the configuration.
Now that I can control the model the following question arises, can I also force the execution of the vulnerable code with which we started?
From personal experience and after researching Joomla, I understood something regarding models in Joomla.
Here’s the vulnerable code again :
The getListQuery function is an auxiliary function of the model that helps build an SQL query whenever the ‘items’ of that model need to be retrieved from the database. One objective of the display function is to create the requested page content. The initial assumption of the displaying process is that model ‘items’ are being retrieved from the database because they are an essential part of the requested page content. That’s why the getListQuery function is called as part of this long process.
Now that we understand why that function is executed, there is still something that needs explaining. The query is being ‘made’, and the highlighted area (where we inject SQL) is at the ‘SELECT’ part of the SQL query. Common sense tells us that this SQL query will be executed later—and so it does when testing the exploit on a test site of Joomla on a local computer.
But, what is the expression $this->getState(‘list.select’,…)? And how do we control it? After all, this is a potential place in which to inject the SQL query.
First of all, note that the second long parameter in the getState() function is just a ‘default value’ parameter. This means that if no value is given in ‘list.select’ then this will be the value.
Here you see the getState() function implementation :
The return value of the getState() function in our case is the return value of a get()function, returning a value indexed to the configuration entry provided in $propertyparameter, which in our case is ‘list.select’.
An interesting function populateState() draws my attention because of its name and the fact that it’s only called the first time getState() is executed.
And here’s that populateState() function :
In examining this flow I see that the setState() function calls, setting different values of entries in the model configuration. Although no control of the state ‘list.select’ entry is found! This is a bad situation, we need to control it because this is what’s injected into the SQL query after all.
There’s still hope! A call for the parent function of populateState is seen here :
You’ll see the function getUserStateFromReque
It does some filtering and handling for the keys fullordering, ordering and limit. Those three keys do not relate to our case at all. However, looking at the default case, we can see how simple our attack is going to be! We find that $value is kept as it was as if it’s none of the above switch{} cases (fullordering, ordering or limit), and then it sets the state (setState()) of ‘list.select’ to the value we passed, which means our input is left untouched! And all we’ve got to do is simply pass the list array in the request with a key name of ‘select’ and the SQL expression we want to inject!
Bravo! We executed a successful SQL injection attack in one of the most-popular web CMS applications out there—Joomla! Now onto doing something interesting with that…
SQL INJECTION Proof of Concept :
The road from our SQL injection to “game over” is very short.
Since our SQL injection exploits a SELECT type of query we will only be able to extract data from the database and not insert any data, which is limiting. After all, not all of the data in the database is interesting. In the users table the password is hashed, and since MD5 can’t really be reverted we’re kind of stuck.
Then, an interesting table in Joomla caught my eye :
I chose the prefix ‘jml_’ for the tables in the database when I installe Joomla. To my surprise, there is a table called jml_session that handles all live sessions on the website. This means that if an administrator is currently part of a live session, it would be listed.
There is also this table :
An easy way to determine if an admin is logged in is to take the client_id that we extract from jml_session, look for the same user_id in the table jml_user_usergroup_map a
The number eight, for example, represents a Super User, as shown in this table in the Joomla Administration Panel :
Sending a normal request, like we did with the POC, including a parameter “1” in list[select] presents this page in Joomla :
(GET index.php?option=com_
This is weird as all we did is enter 1, so logically it should do SELECT 1 which will always work no matter what the rest of the query is. But, we still get an error of “Unknown colum ‘Array'”. Hmm, OK…
We can’t really work like that! We need to know what full query is being executed. In order to know how to work with it, we’ll debug our vulnerable code and see what query is generated.
This resulted in the following :
Ok, so the part we inject will be colored in yellow and we notice something else that is quite annoying about the query and will make us have to work harder. But no worries, we like challenges!
The query is multi-lined, meaning that we can’t just comment it all out. All we can comment is everything after the ‘SELECT’ word at the first line. Then we need to figure out how to address the other 4 lines.
Okay, so that gives us the following issues we have to deal with :
- The query will only pull data from the table jml_ucm_history (meh…)
- We have to learn how to get rid of that “ORDER BY Array” or how to make the query according to that.
- The query will execute ONLY if there will be a row in the database at jml_ucm_history where `ucm_item_id` will be equal to 0 AND `ucm_type_id` will be equal to 0.
These seem like some tough and annoying conditions, but we soon find that we can overcome them easily.
If you have some experience with SQL injection, you can already solve the first issue. After thinking about it I decided upon an Error-based SQLi! Since we saw that Joomla prints SQL errors on their page, an error-based SQLi will be successful here. We can run multiple queries to cause an error that will extract data from the database.
Alright now, about that last line “ORDER BY Array”, we have previously gotten an error “Unknown column Array”, well, that’s the line giving us trouble. Researching the code a little bit more and following the build of the query, I figured out that to address this line you should give another input in the URL which will be a part of our ‘list’ array. It islist[ordering]= (equals nothing). Setting it equal to nothing will put an order by command as default that will not interrupt our error-based SQLi session. That takes care of the second issue.
For last obstacle, the ucm_item_id and ucm_type_id, well, what is it?
I checked out the jml_ucm_history table to see :
There are more columns in the table, but I’ve only included the relevant ones above.
Let’s not forget purpose of the component in which we found the injection. It’s a content management history component after all—every piece of content that managed or modified in some way is recorded here.
Obviously we would have to supply the modified content’s ID and type because Joomla needs to know on what content to pull out information. If one of those conditions are false the query will not execute. I found out it’s not hard at all to supply correct IDs—it involves some guesswork, but the range is very small (although there is a better solution within the website itself, which we’ll cover in a bit).
- ucm_type_id relates to the item’s content type’s id, content types usually range from 1-20+ identifying the type of content (e.g., article, gallery, video, etc).
- ucm_item_id relates to the item’s id. For example, a new article is assigned an item id. The range for item ids is small as well because every article you create has its item id incremented from the last content item. The numbering always starts from one, which can be seen from a normal Joomla installation’s populated database, or an empty Joomla installation after creating an article or piece of content.
After researching the code flow for building the query a little more, we find that to supply both parameters we need to pass the following parameters in the request :
- type_id – The item’s content type ID
- item_id – The item’s ID
Accessing the content component of the Joomla-based website (?option=com_content), would usually give you a list of all contents available on the site. If it doesn’t, you can simply look for an article or some gallery found on the website and click on it.
Then you’d see you’re visiting a URL that looks something like this :
Here you see a new post released on the Joomla! Website. As I explained above, this means that it must be recorded in the jml_ucm_history table of the database. By examining the URL you can see that the item_id of that post is 5633. Half of our work is done. Guessing the type_id should be easy. We could insert a sleep() function within our SQL injection. That way if we guess the correct item_id and the type_id is true, the loading of the page will be delayed.
That solves third and last issue. We know it’s not so hard to reach all requirements for the SQL query to work, and we can easily understand by the website’s behavior if we’re on the right path to full website compromise.
Now, let’s pull out the first row from the session table just to test using the error-based SQLi discussed earlier.
After some attempts to get the query to run we might see this :
GET index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
The SQL query that will execute would look like this :
This is the result page we get :
Bingo! We have the session ID we wanted extracted from the database. Using the technique earlier using the jml_user_usergroup_map tab
And that’s it—we’ve compromised the website!
[su_box title=”About Trustwave” style=”noise” box_color=”#336588″]Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than 2.7 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.