Jul 12, 2012

Hacked Joomla! v. [1.6.x] [1.7.x] [2.5.0-2.5.2] - Escalation of Privileges

This vulnerability allows us to escalate privileges joomla for registering a new user, for 1.6.x/1.7.x versions have not been issued so far no patch versions and 1.0.x/1.5.x/2.5.3 + are not vulnerable. but for our comfort the v. 1.5.x (which is not patched) joomla has the well-known bug of the token, you can change the admin pass, well that's another topic.

Let us focus on our own and exploit this vulnerability xD! Many websites use joomla have them. The bug is creating us a new user, but before that we must add a parameter to the registration form but can use Firebug (Firefox Addon For), look good and latent potential joomla website.

Dork :: inurl :/ index.php? Option = com_users & view = registration
Exploit Code For use with Firebug :: <input value="7" name="jform[groups][]" />

Here we have a joomla site and see its source code, to maybe be able to know which version is.

I deleted the domain from that page, but can remove it by looking at the logo xD! , Well we noticed that when viewing the source code we get the META tag "Joomla - Open Source Content Management" which does not tell us which version is, but possibly that joomla is a current or almost current version, I mean by the phrase is checked, but do not guarantee that it can easily delete or change, but if you want to know that version can probably be used CMSEXPLORER program that is included in the distributions of Backtrack. Now try to create a user, we have to look the part of users to check in, write in the browser:


As I will fill out forms with my details and apropósito erre now to write my password, I did this so that when I sent the parameter register (which then inject) to stay engraved in our recording session, and put an existing mail and in the end they send you a registration confirmation link now inject our parameter missing in the registration form in order to exploit the vulnerability happy.
Press F12 to open Firebug and then develop the steps of the image, and now we put our little code that is almost at the beginning of this post.

If they realize this code between the tags "<dd> </ dd>" is that this version of joomla use these types of labels, then maybe find a joomla without these tags, in this case have to do as its structure and attached to it, to avoid failures xD! with respect to the code, if they realize the "value = 7", that tells us that we be in the Administrators group and not the Super Users group is the value 8.

Well we press F12 or minimize the firebug that we no longer use, and do the steps in the image.

After checking in we get a message that says verify and confirm the registration in our email provided, and if not found in the area revizenlo post spam.

After confirming the registration panel administracionde accede joomla.

www.site-joomla.com/administrator and we login.

Come see in the image of the joomla version is 2.5.1, well almost now as we said in the beginning and we can also see our administrator user that is xD! Now is raise our shell.

This video demonstrate how to upload shell on our Joomla sites.

Well they have their shell on the server can do whatever they want, maybe not Rootear the server, and if maybe there is a Local Root can make symbolic links (symlink) files to other users who are on the same server or nose, and you will see.


- I forgot, we can also inject the code to escalate privileges in joomla using Tamper Data (addon for firefox), you just have to add one more parameter to change when sending data.

Exploit Code for Use with Tamper Data :: jform [groups] [] = 7

then you upload a picture, to see how is the question.

- If anyone is wondering how many versions of joomla, these are, if I'm wrong someone let me know xD!.

Joomla V.
[1.0.x] - [1.5.x] - [1.6.x] - [1.7.x] - [2.5.x]

Author: pwnakil @ CL-Security

Source: http://translate.google.com/translate?hl=th&sl=auto&tl=en&u=http%3A%2F%2Fcalebbucker.blogspot.com.es%2F2012%2F07%2Fhacked-joomla-v-16x17x250-252.html

If you like my blog, Please Donate Me


neang said...

yes is really good. but when i do like your step is can't success.

so, I want to ask you that why I do not success like you?

Sumate jitpukdebodin said...

I think it should be the joomla website that you tried to is not match the version that has this vulnerability.

István Borsányi said...

If you have a working Joomla site, you can block this by inserting this code to components/com_users/models/registration.php.
You can register users Registered only. But you can modify to what you want.

// Prepare the data for the user object.

$data['email'] = $data['email1'];
$data['password'] = $data['password1'];

foreach ($data['groups'] as $bi)
if ($bi != 2)
$this->setError(JText::sprintf('COM_USERS_USER_BLOCKED', $user->getError()));
return false;

$useractivation = $params->get('useractivation');

Margret Ruch said...

thanks a bundle..
fast and easy to use....
Crack Software Download | windows 10 pro keygen

tina tin said...

yup, work just fine for me..!!
thankls a bunch...... :)
Fully Software Plus | Norton Internet Security 2016 Crack Free Download

Romilda Gareth said...


Troy Flores said...

Web page size is an important aspect of modern Web design. ... Increasingly mobile-based Internet traffic causes many pages to display slowly on mobile. See more mobile version drupal

Karthika Shree said...

Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart.As always, we appreciate your confidence and trust in us.
Java Training in Chennai

Freddie King said...

Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
Mc.gutscheine | startlr.com | saludlimpia

reginald surict said...

Great post. I also encourage you to read this information.