Jul 12, 2012

Hacked Joomla! v. [1.6.x] [1.7.x] [2.5.0-2.5.2] - Escalation of Privileges

This vulnerability allows us to escalate privileges joomla for registering a new user, for 1.6.x/1.7.x versions have not been issued so far no patch versions and 1.0.x/1.5.x/2.5.3 + are not vulnerable. but for our comfort the v. 1.5.x (which is not patched) joomla has the well-known bug of the token, you can change the admin pass, well that's another topic.

Let us focus on our own and exploit this vulnerability xD! Many websites use joomla have them. The bug is creating us a new user, but before that we must add a parameter to the registration form but can use Firebug (Firefox Addon For), look good and latent potential joomla website.

Dork :: inurl :/ index.php? Option = com_users & view = registration
Exploit Code For use with Firebug :: <input value="7" name="jform[groups][]" />

Here we have a joomla site and see its source code, to maybe be able to know which version is.




I deleted the domain from that page, but can remove it by looking at the logo xD! , Well we noticed that when viewing the source code we get the META tag "Joomla - Open Source Content Management" which does not tell us which version is, but possibly that joomla is a current or almost current version, I mean by the phrase is checked, but do not guarantee that it can easily delete or change, but if you want to know that version can probably be used CMSEXPLORER program that is included in the distributions of Backtrack. Now try to create a user, we have to look the part of users to check in, write in the browser:

www.site-joomla.com/index.php?option=com_users&view=registration



As I will fill out forms with my details and apropósito erre now to write my password, I did this so that when I sent the parameter register (which then inject) to stay engraved in our recording session, and put an existing mail and in the end they send you a registration confirmation link now inject our parameter missing in the registration form in order to exploit the vulnerability happy.
Press F12 to open Firebug and then develop the steps of the image, and now we put our little code that is almost at the beginning of this post.



If they realize this code between the tags "<dd> </ dd>" is that this version of joomla use these types of labels, then maybe find a joomla without these tags, in this case have to do as its structure and attached to it, to avoid failures xD! with respect to the code, if they realize the "value = 7", that tells us that we be in the Administrators group and not the Super Users group is the value 8.


Well we press F12 or minimize the firebug that we no longer use, and do the steps in the image.


After checking in we get a message that says verify and confirm the registration in our email provided, and if not found in the area revizenlo post spam.


After confirming the registration panel administracionde accede joomla.

www.site-joomla.com/administrator and we login.



Come see in the image of the joomla version is 2.5.1, well almost now as we said in the beginning and we can also see our administrator user that is xD! Now is raise our shell.

This video demonstrate how to upload shell on our Joomla sites.

Well they have their shell on the server can do whatever they want, maybe not Rootear the server, and if maybe there is a Local Root can make symbolic links (symlink) files to other users who are on the same server or nose, and you will see.

Post-Data:

- I forgot, we can also inject the code to escalate privileges in joomla using Tamper Data (addon for firefox), you just have to add one more parameter to change when sending data.


Exploit Code for Use with Tamper Data :: jform [groups] [] = 7


then you upload a picture, to see how is the question.


- If anyone is wondering how many versions of joomla, these are, if I'm wrong someone let me know xD!.


Joomla V.
[1.0.x] - [1.5.x] - [1.6.x] - [1.7.x] - [2.5.x]

Author: pwnakil @ CL-Security

Source: http://translate.google.com/translate?hl=th&sl=auto&tl=en&u=http%3A%2F%2Fcalebbucker.blogspot.com.es%2F2012%2F07%2Fhacked-joomla-v-16x17x250-252.html


If you like my blog, Please Donate Me

2 comments:

neang said...

yes is really good. but when i do like your step is can't success.

so, I want to ask you that why I do not success like you?

Sumate jitpukdebodin said...

I think it should be the joomla website that you tried to is not match the version that has this vulnerability.

 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |