That is normal wp crew behavior, I’m not surprised at all… For the future when you report this…

Well I’m currently an academic researcher, so I included the vulnerability and its PoC in a publication rather than in a blog post. Also, due to the sensitive nature of my work, I should not be developing exploits, even in the form of PoCs :D

But anyway yeah. Joomla has a method where they supposedly “lex” the SQL query to replace #__ with the Joomla’s dynamic table prefix. They “lex” by counting quotations! So if there’s a quotation as data (e.g. “Jack’s Horse”) or if there’s a quotation in a comment (e.g. /* Jack’s horse*/) their lexer will silently fail and allow injection into the query as well as leakage of the dynamic table prefix.

Like what you read? Give AbiusX a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.