Script http-vuln-cve2017-8917

Script types: portrule
Categories: vuln, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-8917.nse

Script Summary

An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for unauthenticated users to execute arbitrary SQL commands. This vulnerability was caused by a new component, com_fields, which was introduced in version 3.7. This component is publicly accessible, which means this can be exploited by any malicious individual visiting the site.

The script attempts to inject an SQL statement that runs the user() information function on the target website. A successful injection will return the current MySQL user name and host name in the extra_info table.

This script is based on a Python script written by brianwrf.

References:

• https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
• https://github.com/brianwrf/Joomla3.7-SQLi-CVE-2017-8917

Script Arguments

http-vuln-cve2017-8917.uri

The webroot of the Joomla installation

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

• nmap --script http-vuln-cve2017-8917 -p 80 <target>

• nmap --script http-vuln-cve2017-8917 --script-args http-vuln-cve2017-8917.uri=joomla/ -p 80<target>

Script Output

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-vuln-cve2017-8917:
|   VULNERABLE:
|   Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability
|       State: VULNERABLE
|     IDs:  CVE:CVE-2017-8917
|     Risk factor: High  CVSSv3: 9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
|       An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers
|       to execute aribitrary SQL commands via unspecified vectors.
|
|     Disclosure date: 2017-05-17
|     Extra information:
|       User: root@localhost
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917
|_      https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html

Requires

• http
• shortport
• string
• stdnse
• vulns
• table

---

Author:

• Wong Wai Tuck

License: Same as Nmap--See https://nmap.org/book/man-legal.html