I found out after a while that a component used on my website had an unfiltered parameter, in a WHERE condition in the following settings:
- Using Joomla! 1.5, latest update.
- The component is custom made, fairly small, and after reading its source I couldn’t indentify any other security flaws.
- The attacker was using SQLMap to do their work, as I saw its user-agent in the log.
- MySQL version is 5.1.11
- PHP version is 5.1.4
- The database user has USAGE privilege.
- The server OS is Linux.
After trying the same steps on my own box, I was able to read the database (and since I’m not an expert in sql injection I’m not sure that was all I could do).
My worry is mostly about the session table, would the attacker be able to impersonate a user from it? Aside from that, is there any chance he could have uploaded some payload to my server?
Also, could he have “magically” updated some field through this SELECT query? (No stacked queries available).
Thanks in advance.
If you can read the database, you can dump it with SQLMap and find the hash of the administrator’s password.
With that hash, the attacker could crack it (or if it is MD5, find a collision fairly quickly) and login into your administrator account.
From there, your admin account is screwed. The attacker has admin privileges, so consider your site dead. Worse than that, if Joomla is like WordPress, the attacker can use a custom PHP code in the theme, which allows them to drop to OS level and modify your Joomla installation.
In short, they can screw up your server, as Joomla executes arbitrary PHP code when it is run.