This vulnerability allows us to escalate privileges joomla for registering a new user, for 1.6.x/1.7.x versions have not been issued so far no patch versions and 1.0.x/1.5.x/2.5.3 + are not vulnerable. but for our comfort the v. 1.5.x (which is not patched) joomla has the well-known bug of the token, you can change the admin pass, well that's another topic.
Let us focus on our own and exploit this vulnerability xD! Many websites use joomla have them. The
bug is creating us a new user, but before that we must add a parameter
to the registration form but can use Firebug (Firefox Addon For), look
good and latent potential joomla website.
Dork :: inurl :/ index.php? Option = com_users & view = registration
Exploit Code For use with Firebug :: <input value="7" name="jform[groups][]" />
Here we have a joomla site and see its source code, to maybe be able to know which version is.
I deleted the domain from that page, but can remove it by looking at the logo xD!
, Well we noticed that when viewing the source code we get the META tag
"Joomla - Open Source Content Management" which does not tell us which
version is, but possibly that joomla is a current or almost current
version, I mean by the phrase is checked, but do not guarantee that it
can easily delete or change, but if you want to know that version can
probably be used CMSEXPLORER program that is included in the distributions of Backtrack. Now try to create a user, we have to look the part of users to check in, write in the browser:
www.site-joomla.com/index.php?option=com_users&view=registration
Press F12 to open Firebug and then develop the steps of the image, and now we put our little code that is almost at the beginning of this post.
If they realize this code between the tags "<dd> </ dd>" is
that this version of joomla use these types of labels, then maybe find a
joomla without these tags, in this case have to do as its structure and
attached to it, to avoid failures xD! with respect to the code, if they
realize the "value = 7", that tells us that we be in the Administrators
group and not the Super Users group is the value 8.
Well we press F12 or minimize the firebug that we no longer use, and do the steps in the image.
After checking in we get a message that says verify and confirm the
registration in our email provided, and if not found in the area
revizenlo post spam.
www.site-joomla.com/administrator and we login.
Come see in the image of the joomla version is 2.5.1, well almost now
as we said in the beginning and we can also see our administrator user
that is xD! Now is raise our shell.
This video demonstrate how to upload shell on our Joomla sites.
Post-Data:
- I forgot, we can also inject the code to escalate privileges in joomla using Tamper Data (addon for firefox), you just have to add one more parameter to change when sending data.
Exploit Code for Use with Tamper Data :: jform [groups] [] = 7
then you upload a picture, to see how is the question.
- If anyone is wondering how many versions of joomla, these are, if I'm wrong someone let me know xD!.
Joomla V. [1.0.x] - [1.5.x] - [1.6.x] - [1.7.x] - [2.5.x]
Author: pwnakil @ CL-Security
If you like my blog, Please Donate Me
10 comments:
yes is really good. but when i do like your step is can't success.
so, I want to ask you that why I do not success like you?
I think it should be the joomla website that you tried to is not match the version that has this vulnerability.
If you have a working Joomla site, you can block this by inserting this code to components/com_users/models/registration.php.
You can register users Registered only. But you can modify to what you want.
// Prepare the data for the user object.
$data['email'] = $data['email1'];
$data['password'] = $data['password1'];
//BI INSERT THESE LINES HERE
foreach ($data['groups'] as $bi)
{
if ($bi != 2)
{
$this->setError(JText::sprintf('COM_USERS_USER_BLOCKED', $user->getError()));
return false;
}
}
//BI END OF INSERTION BLOCK
$useractivation = $params->get('useractivation');
thanks a bundle..
fast and easy to use....
Crack Software Download | windows 10 pro keygen
yup, work just fine for me..!!
thankls a bunch...... :)
Fully Software Plus | Norton Internet Security 2016 Crack Free Download
thanks
Web page size is an important aspect of modern Web design. ... Increasingly mobile-based Internet traffic causes many pages to display slowly on mobile. See more mobile version drupal
Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart.As always, we appreciate your confidence and trust in us.
Java Training in Chennai
Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
Mc.gutscheine | startlr.com | saludlimpia
Great post. I also encourage you to read this information.
Post a Comment