## https://sploitus.com/exploit?id=859DDDDE-A7E4-540E-A363-913B6AA53FB5
# CVE-2017-8917 Joomla SQLi PoC
This repository contains a simple, CTF-friendly proof of concept (PoC) for the Joomla
`com_fields` SQL injection vulnerability (CVE-2017-8917). The goal is to keep the workflow
lightweight while still showing the full exploitation flow: detection, enumeration, and
data extraction.
## CVE-2017-8917 Overview
**Vulnerability**: SQL injection in Joomla's `com_fields` component.
**Root cause**: The `list[fullordering]` parameter is not properly sanitized, allowing SQL
to be injected into the generated query. When crafted with an error-based payload (e.g.,
`UpdateXML`), the SQL result can be surfaced in the response, enabling data extraction.
**How it is exploited (high level)**:
1. Send a crafted request to `index.php?option=com_fields&view=fields&layout=modal` with
the `list[fullordering]` parameter set to a malicious payload.
2. Use error-based functions (like `UpdateXML`) to force the database to echo results.
3. Parse the response (in this PoC, the `` tag) and extract the injected output.
4. Iterate queries to enumerate version, database name, tables, columns, and rows.
## Key Code Paths
Below are the most critical components.
### `Settings`
The `Settings` dataclass centralizes the minimal configuration needed to run the PoC.
For CTFs and labs, the script assumes HTTP on port 80 and builds the base URL from
`--host`. Keeping this small keeps the tool simple.
### `JoomlaSQLiClient`
The `JoomlaSQLiClient` class encapsulates all exploit logic:
- **Session handling**: Uses `requests.Session()` so cookies and headers persist.
- **`fetch_title()`**: Sends a request and extracts the `` value. The PoC uses
error-based SQLi to leak data into that tag, so this is the data extraction core.
- **`build_params()`**: Creates the vulnerable request parameters with the injected SQL.
- **`is_vulnerable()`**: Uses a trivial probe (`40 + 2`) to detect SQLi quickly.
- **Enumeration/Dump methods**: `list_tables()`, `list_columns()`, and `dump_table()`
automate the step-by-step data extraction process.
### `fetch_token()`
The CSRF token is extracted from the Joomla login page. While some scenarios may not
require it, many Joomla routes still enforce CSRF checks. Including it:
- Improves reliability against stricter setups.
- Makes the PoC "most realistic".
- Lets you reuse the script even if a login flow or token check is enforced.
### `wrap_sqli()` and `encode_string()`
These helpers generate the actual injection payload:
- `wrap_sqli()` wraps a raw query in `UpdateXML(...)` to force error-based output.
- `encode_string()` converts strings to `CHAR(...)` expressions to avoid quoting issues.
### Chunked extraction (`dump_table()`)
Rows are concatenated with a separator and fetched in substrings to avoid truncation.
This keeps the output consistent even when row values are long.
## Usage
```bash
python main.py --host
```
Optional debug output:
```bash
python main.py --host --debug
```
## Expected Output (fill this in)
```
└─$ python exploit.py --host
]LLLLLLmmmmmLLLLLL[
]LLLLLLLLLLLLLLLLL[
]LLLLLLLLLLLLLLLLL[
]LLLLLLLLLLLLLLLLL[
]LLLLLLLLLLLLLLLLL[
ms. ]LLLLLLLLLLLLLLLLL[ ,m
]LLLLs. ]LLLLLLLL~+LLLLLLL[ _gLLLL
LLLLLLLL_. LLLLLLLL ~~\LLLL[ ,gLLLLLLLi
dLLLLLLLLLLm_ -LLLLLLLo LLL[ _mLLLLLLLLLL.
iLLLLLLLLLLLLLLs. ]LLf` , 'c LLL[ ,gLLLLLLLLLLLLLL
iLLLLLLLLLLLLLLLLLLsgL` 'c- \. LLLLLLLLLLLLLLLLLLLLLL
,LLLLLLLLLLLLLLLLLLLLL! =__/Li iLLLLLLLLLLLLLLLLLLLLLLL
gLLLLLLLLLLLLLLLLLLLLLL imm_.Y~'` LLLLLLLLLLLLLLLLLLLLLLLLL.
dLLLLLLLLLLLLLLLLLLLLLLL 'LL_ dLLLLLLLLLLLLLLLLLLLLLLLLLLi
,LLLLLLLLLLLLLLLLLLLLLLLLLi ~--__LLLLLLLLLLLLLLLLLLLLLLLLLLLLs
'LLLLLLLLLLLLLLLLLLLLLLLLLLs. LLLLLLLLLLLLLLLLLLLLLLLLLLLLL~
'LLLLLLLLLLLLLLLLLLLLLLLLLL_. LLLLLLLLLLLLLLLLLLLLLLLLf
'LLLLLLLLLLLLLLLLLLLLLLLLLLm_ 'LLLLLLLLLLLLLLLLLLLf`
'LLLLLLLLLLLLLLLLLLLLLLLL'Lm_ LLLLLLLLLLLLLLLL`
LLLLLLLLLLLLLLLLLLLLLL 'LL LLLLLLLLLLLLLf
'LLLLLLLLLLLLLLLLLLL L LLLLLLLLLLL~
_LLLLLLLLLLLLLLL !i ] ,LLLLLLLLLLLs.
gLLLLLLLLLLLLLLLLL! 's [ _mLLLLLLLLLLLLLLLs
gmLLLLLLLLLLLLLLLLLLL ~eLLLLLLLLLLLLLLLLLLLLLms
_gLLLLLLLLLLLLLLLLLLLLLL. 'LLLLLLLLLLLLLLLLLLLLLLLs_
_gLLLLLLLLLLLLLLLLLLLLLLLLLL_ !LLLLLLLLLLLLLLLLLLLLLLLLs.
,gLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLm_ YLLLLLLLLLLLLLLLLLLLLLLLLLms
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLs ]LLLLLLLLLLLLLLLLLLLLLLLLLL`
'LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL 'YL ]LLLLLLLLLLLLLLLLLLLLLLLLf
'LLLLLLLLLLLLLLLLLLLLLLLLLLLf`! f ,LLLLLLLLLLLLLLLLLLLLLLLL!
'LLLLLLLLLLLLLLLLLLLLLLLLL[ LmmLLLLLLLLLLLLLLLLLLLLLLLL`
LLLLLLLLLLLLLLLLLf LLLLi t LLLLLLL LLLLLLLLLLLLLLLLL!
'LLLLLLLLLLLLLf LLLL[ '*LLLLLLL 'LLLLLLLLLLLLL[
!LLLLLLLLLf` LLLLLs 'YLLLLL ~LLLLLLLLLL
LLLLLLf~ LLLLLLLs LLLLL ~LLLLLL`
'LLL~ LLLLLLLLLm iLLLLL ~LLL~
~` LLLLLLLL[LLmLLLLLL '`
LLLLLL`d[ LLLLLLLL
LLLLLLdL[ LLLLLLLL
LLLLLLLLLLLLLLLLLL Juergen Jakubowski
LLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLL SNO...@data-klo.mcnet.de
EXPLOIT BY ztrxwzy.
INSPIRED BY THE POC FROM Baptiste Contreras.
[888] Target : http://10.66.187.202:80/index.php
[888] CSRF token : 3ec54b1b32b5dc2dd8186537821b8dc1
[888] http://10.66.187.202:80/index.php is vulnerable to SQLi
[888] Database version detected : 5.5.64-MariaDB
[888] Current database : joomla
[888] Tables in database joomla
```
## Credits & Author
- **Author**: ztrxwzy
- **Inspiration**: Portions of this PoC are inspired by the work of Baptiste Contreras:
https://github.com/BaptisteContreras/CVE-2017-8917-Joomla
## License
MIT License
Copyright (c) 2025 Jesús Caldera
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.