This vulnerability allows us to escalate privileges joomla for registering a new user, for 1.6.x/1.7.x versions have not been issued so far no patch versions and 1.0.x/1.5.x/2.5.3 + are not vulnerable. but for our comfort the v. 1.5.x (which is not patched) joomla has the well-known bug of the token, you can change the admin pass, well that's another topic.
Let us focus on our own and exploit this vulnerability xD! Many websites use joomla have them. The bug is creating us a new user, but before that we must add a parameter to the registration form but can use Firebug (Firefox Addon For), look good and latent potential joomla website.
Dork :: inurl :/ index.php? Option = com_users & view = registration
Exploit Code For use with Firebug :: <input value="7" name="jform[groups]" />
Here we have a joomla site and see its source code, to maybe be able to know which version is.
I deleted the domain from that page, but can remove it by looking at the logo xD! , Well we noticed that when viewing the source code we get the META tag "Joomla - Open Source Content Management" which does not tell us which version is, but possibly that joomla is a current or almost current version, I mean by the phrase is checked, but do not guarantee that it can easily delete or change, but if you want to know that version can probably be used CMSEXPLORER program that is included in the distributions of Backtrack. Now try to create a user, we have to look the part of users to check in, write in the browser:
Press F12 to open Firebug and then develop the steps of the image, and now we put our little code that is almost at the beginning of this post.
If they realize this code between the tags "<dd> </ dd>" is that this version of joomla use these types of labels, then maybe find a joomla without these tags, in this case have to do as its structure and attached to it, to avoid failures xD! with respect to the code, if they realize the "value = 7", that tells us that we be in the Administrators group and not the Super Users group is the value 8.
Well we press F12 or minimize the firebug that we no longer use, and do the steps in the image.
After checking in we get a message that says verify and confirm the registration in our email provided, and if not found in the area revizenlo post spam.
www.site-joomla.com/administrator and we login.
Come see in the image of the joomla version is 2.5.1, well almost now as we said in the beginning and we can also see our administrator user that is xD! Now is raise our shell.
This video demonstrate how to upload shell on our Joomla sites.
- I forgot, we can also inject the code to escalate privileges in joomla using Tamper Data (addon for firefox), you just have to add one more parameter to change when sending data.
Exploit Code for Use with Tamper Data :: jform [groups]  = 7
then you upload a picture, to see how is the question.
- If anyone is wondering how many versions of joomla, these are, if I'm wrong someone let me know xD!.
Joomla V. [1.0.x] - [1.5.x] - [1.6.x] - [1.7.x] - [2.5.x]
Author: pwnakil @ CL-Security
If you like my blog, Please Donate Me