CVE-2022-23797 - SQL Injection Vulnerability in Joomla!

[princechaddha]

Is there an existing template for this?

• I have searched the existing templates.

Template requests

Description:
A critical SQL injection vulnerability was discovered in Joomla! versions 3.0.0 through 3.10.6 and 4.0.0 through 4.1.0. The issue stems from inadequate filtering of selected IDs in a request, which could lead to unauthorized database access, data manipulation, or disclosure.

Severity:
Critical (CVSS: 9.8, Vector: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H])

EPSS:

• Score: 0.00142
• Percentile: 0.51012

Details:

• Assignee: security@joomla.org
• Vendor: Joomla

References:

• Joomla Security Centre Advisory

Patch URLs:

• No patch URLs available

Weaknesses:

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Shodan:

• Component: “Joomla”
• HTML Tag: “Joomla! - Open Source Content Management”
• CPE: “cpe:2.3:a:joomla:joomla!”

Vulnerable CPE:

• cpe:2.3:a:joomla:joomla!::::::::

OSS:

• No OSS information available

Anything else?

No response

[princechaddha]

/bounty $100

[algora-pbc]

💎 $100 bounty • ProjectDiscovery Bounty Available for CVE Template Contribution

Steps to Contribute:

• Claim attempt: Comment /attempt #11183 on this issue to claim attempt.
• Write the Template: Create a high-quality Nuclei template for the specified CVE, following our Contribution Guidelines and Acceptance Criteria.
• Submit the Template: Open a pull request (PR) to projectdiscovery/nuclei-templates and include /claim #11183 in the PR body to claim the bounty.
• Receive Payment: Upon successful merge of your PR, you will receive 100% of the bounty through Algora.io within 2-5 days. Ensure you are eligible for payouts.

Thank you for contributing to projectdiscovery/nuclei-templates and helping us democratize security!

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors are required to provide debug data(-debug) along with the template to help the triage team with validation. Rewards will only be given once the template is fully validated by the team. Templates that are incomplete or invalid will not be accepted. Avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript. Such templates are blocked by default and won’t produce results, so we prioritize creating templates with other protocols unless exceptions are made.
You can check the FAQ for the Nuclei Templates Community Rewards Program here.

Add a bounty • Share on socials

Attempt	Started (GMT+0)	Solution
🔴 @mobley-trent	Nov 11, 2024, 11:05:11 AM	WIP

[mobley-trent]

/attempt #11183

Algora profile	Completed bounties	Tech	Active attempts	Options
@mobley-trent	11 bounties from 5 projects	Python, Rust, Go & more		Cancel attempt

[algora-pbc]

@mobley-trent: Reminder that in 4 days the bounty will become up for grabs, so please submit a pull request before then 🙏

[algora-pbc]

The bounty is up for grabs! Everyone is welcome to /attempt #11183 🙌

[ferasdour]

I don't know if this will help anyone, I'm not finding a default exploitable path on this sql injection, but here's what I've learned.

• Minimal details, just roughly saying a ids may cause sql injection.
• This appears to be the git fix for this vuln, along with other things, they change the way different IDs were accepted:
  joomla/joomla-cms@f49c451
• Asking for more details from JSST didn't work
• lots of other sql injections found in joomla were covered over in https://github.com/HoangKien1020/Joomla-SQLinjection
• I tried default installation, along with setting up the demo blog data
  -- I've tried to go various routes using the int ids to see if the changes in the array would allow this to no success
  -- string ids i wasn't able to inject
  -- null strings along with additional info into the array, didn't work from my attempts
  -- trying to use hex or number sequences, didn't work
  --- as long as it sees a string, it cuts it off still, wasn't able to inject, such as 0x2929292 would only show 0, but 00949494x0 would show 00949494.
  --- monitoring this from the pcaps to the database, I tried injecting module ids and names, as well as article ids, and found as mentioned above.
  -- Only with adding as specific php page to send the requested ids as manipulated strings, seemed to work.

To test, I just used docker compose:

services:

  joomla:
    image: joomla:4.1.0
    restart: always
    ports:
      - 3434:80
    environment:
      JOOMLA_DB_HOST: db
      JOOMLA_DB_USER: joomla
      JOOMLA_DB_PASSWORD: examplepass
      JOOMLA_DB_NAME: joomla_db
      JOOMLA_SITE_NAME: Joomla
      JOOMLA_ADMIN_USER: Joomla Hero
      JOOMLA_ADMIN_USERNAME: joomla
      JOOMLA_ADMIN_PASSWORD: joomla@secured
      JOOMLA_ADMIN_EMAIL: joomla@example.com
    volumes:
      - joomla_data:/var/www/html
    networks:
      - joomla_network

  db:
    image: mysql:8.0
    restart: always
    environment:
      MYSQL_DATABASE: joomla_db
      MYSQL_USER: joomla
      MYSQL_PASSWORD: examplepass
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
      GENERAL_LOG: 1
      GENERAL_LOG_FILE: /var/lib/mysql/mysql-general.log
    volumes:
      - db_data:/var/lib/mysql
    networks:
      - joomla_network

volumes:
  joomla_data:
  db_data:

networks:
  joomla_network:

If someone does catch this, especially without hitting up the reporter as listed on the joomla site, I'd like to learn how to upgrade my skills. Thanks in advance.