如果攻击者能够读取 Joomla! 的数据库,他会造成多大伤害吗?
一段时间后,我发现我的网站上使用的组件有一个未过滤的参数,在以下设置的 WHERE 条件下:
- 使用 Joomla! 1.5,最新更新。
- 该组件是定制的,相当小,在阅读其源代码后,我无法识别任何其他安全缺陷。
- 攻击者正在使用 SQLMap 来完成他们的工作,正如我在日志中看到的它的用户代理一样。
- MySQL版本是5.1.11
- PHP版本是5.1.4
- 数据库用户有USAGE权限。
- 服务器操作系统为Linux。
在我自己的机器上尝试相同的步骤后,我能够读取数据库(因为我不是 sql 注入方面的专家,所以我不确定这就是我能做的全部)。
我主要担心的是会话表,攻击者是否能够从中冒充用户?除此之外,他是否有可能将一些有效负载上传到我的服务器?
另外,他是否可以通过此 SELECT 查询“神奇地”更新某些字段? (没有可用的堆叠查询)。
提前致谢。
I found out after a while that a component used on my website had an unfiltered parameter, in a WHERE condition in the following settings:
- Using Joomla! 1.5, latest update.
- The component is custom made, fairly small, and after reading its source I couldn't indentify any other security flaws.
- The attacker was using SQLMap to do their work, as I saw its user-agent in the log.
- MySQL version is 5.1.11
- PHP version is 5.1.4
- The database user has USAGE privilege.
- The server OS is Linux.
After trying the same steps on my own box, I was able to read the database (and since I'm not an expert in sql injection I'm not sure that was all I could do).
My worry is mostly about the session table, would the attacker be able to impersonate a user from it? Aside from that, is there any chance he could have uploaded some payload to my server?
Also, could he have "magically" updated some field through this SELECT query? (No stacked queries available).
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
![扫码二维码加入Web技术交流群](/public/img/jiaqun_03.jpg)
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您可以读取数据库,则可以使用 SQLMap 转储它并找到管理员密码的哈希值。
通过该哈希值,攻击者可以破解它(或者如果是 MD5,则可以相当快地找到冲突)并登录到您的管理员帐户。
从那时起,您的管理员帐户就被搞砸了。攻击者拥有管理员权限,因此请考虑您的网站已死亡。更糟糕的是,如果 Joomla 就像 Wordpress,攻击者可以在主题中使用自定义 PHP 代码,这允许他们下降到操作系统级别并修改您的 Joomla 安装。
简而言之,他们可以搞砸您的服务器,因为 Joomla 在运行时会执行任意 PHP 代码。
If you can read the database, you can dump it with SQLMap and find the hash of the administrator's password.
With that hash, the attacker could crack it (or if it is MD5, find a collision fairly quickly) and login into your administrator account.
From there, your admin account is screwed. The attacker has admin privileges, so consider your site dead. Worse than that, if Joomla is like Wordpress, the attacker can use a custom PHP code in the theme, which allows them to drop to OS level and modify your Joomla installation.
In short, they can screw up your server, as Joomla executes arbitrary PHP code when it is run.