New Vul In Joomla Full Tut
This
vulnerability allows us to escalate privileges joomla for registering a
new user, for 1.6.x/1.7.x versions have not been issued so far no patch
versions and 1.0.x/1.5.x/2.5.3 + are not vulnerable. but for our
comfort the v. 1.5.x (which is not patched) joomla has the well-known bug of the token, you can change the admin pass, well that's another topic.
Here we have a joomla site and see its source code, to maybe be able to know which version is.
![[Image: 1.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtxs1zOy1qllR0UaN3X3Xm-BtTmSmNPIUfMB3AnBZXq7FYd4cmrstOSv89C34d0rEjC2s6aiVWyRyskBa0UTbfpqZEQRxIXwjM7rTlA-pt4SKpTw-TkaIbvl1071D4wxgTfNHC9Dx722E/s640/1.jpg)
![[Image: 2.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6sq42rXqNClmTAPcb-9v-rnEu91H9BAsASc3g7IVb1mTl-rMqOWicy2IuC37PYpvVY9CX_u-pdl-RylRQ0bbhP3UBXPIOQTOxKo-C-3iuvtC5oOb0j7rrw14HVyUlCrrgceZcm1lerj4/s640/2.jpg)
![[Image: 3.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWXz-kPPoH3xi00m4OXyxwUKtFBWgKu8eIofxRae8x5oB1h3oXJ7-5yT2wuQMQPyHvVShub-anv924siPVoGYuQCLeWyvB7w37cJ7PbSf4IMKW8YDJ0IgrnN-QtRbFAlojCsI5CtZ2lH8/s640/3.jpg)
As I will fill out forms with my details and apropĆ³sito erre now to
write my password, I did this so that when I sent the parameter register
(which then inject) to stay engraved in our recording session, and put
an existing mail and in the end they send you a registration
confirmation link now inject our parameter missing in the registration
form in order to exploit the vulnerability happy.
Press F12 to open Firebug and then develop the steps of the image, and now we put our little code that is almost at the beginning of this post.
![[Image: 4.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXXwUFagcnqMXUHtA4kKxbLw5WOkXGj4VVM91NCWJgHDqWAOX-4rfmhR1hn30ZrNbGPUSVwWLlZkwaDBp3LXsDyGxZSN5Mly5OvoqH97QZHlBfoHuMQCupxZgiiuWNwHnWzsAmLSDn15Y/s640/4.jpg)
If they realize this code between the tags "<dd> </ dd>" is
that this version of joomla use these types of labels, then maybe find a
joomla without these tags, in this case have to do as its structure and
attached to it, to avoid failures xD! with respect to the code, if they
realize the "value = 7", that tells us that we be in the Administrators
group and not the Super Users group is the value 8.
![[Image: 5.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7tx_R1b0kvq3etdtkzZgvPWd-ZIsp_w7wih7hftd1mX5ShlE0_Z_dQFSXIZsVp33Nx4klFmNVtLY94c85ZCOgV6g7FUEgksXKSUGGyZ7eDvs-UIqN6S9eARL9zOyybf-ZU37P5EtGMjs/s640/5.jpg)
![[Image: 6.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfWuaonlrBPHH0kfUyYExLRDzXusWsTKBM5Zq_d-kW53rQaDJV4CflcwvPa3tytTbMOdXMGVVconXG0ehJIpTsfve3NHgg8th1oP_5saQrOFUYBM9yI-kElgExSUtPeT5kjpFPQTRHPtg/s640/6.jpg)
After checking in we get a message that says
verify and confirm the
registration in our email provided, and if not found in the area
revizenlo post spam.
![[Image: 7.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu5qm-dW3uCv9Pu1B6vWIvcFDJwdAuN02yNEC1WRDFHttmji9IshciZYfR1nFCMX1G0qHvCfWZTkHqAntjORodir-_VnlDl5f8-7Q4K8EdcdjcrLfk_R-7xKjkF3MQ5xs4vSNsgEXfZ94/s640/7.jpg)
After confirming the registration panel administracionde accede joomla.
www.site-joomla.com/administrator and we login.
![[Image: 8.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCKZH5whO8Cmg82v1_Cd8YT07Gv-tBW0FbnmrPg2GTMBB2ChOaMAOecutEerDPzYmdwbVx70NbvIu_4OWIG7bmFHbA4EhZtyDAm3IIIaUDH6i_Cl4Qdx4rBwYzjGki60Cam4LL9uIyTro/s640/8.jpg)
Come see in the image of the joomla version is 2.5.1, well almost now
as we said in the beginning and we can also see our administrator user
that is xD! Now is raise our shell.
Well they have their shell on the server can do whatever they want,
maybe not Rootear the server, and if maybe there is a Local Root can
make symbolic links (symlink) files to other users who are on the same
server or nose, and you will see.
Post-Data:
- I forgot, we can also inject the code to escalate privileges in
joomla using Tamper Data (addon for firefox), you just have to add one
more parameter to change when sending data.
Exploit Code for Use with Tamper Data :: jform [groups] [] = 7
then you upload a picture, to see how is the question.
Thisvulnerability allows us to escalate privileges joomla for registering a
new user, for 1.6.x/1.7.x versions have not been issued so far no patch
versions and 1.0.x/1.5.x/2.5.3 + are not vulnerable. but for our
comfort the v. 1.5.x (which is not patched) joomla has the well-known bug of the token, you can change the admin pass, well that's another topic.
Let us focus on our own and exploit this vulnerability xD! Many websites use joomla have them. The
bug is creating us a new user, but before that we must add a parameter
to the registration form but can use Firebug (Firefox Addon For), look
good and latent potential joomla website.
bug is creating us a new user, but before that we must add a parameter
to the registration form but can use Firebug (Firefox Addon For), look
good and latent potential joomla website.
[/font]
Dork :: inurl :/ index.php? Option = com_users & view = registration
Exploit Code For use with Firebug :: <input value="7" name="jform[groups][]" />
Here we have a joomla site and see its source code, to maybe be able to know which version is. ![[Image: 1.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtxs1zOy1qllR0UaN3X3Xm-BtTmSmNPIUfMB3AnBZXq7FYd4cmrstOSv89C34d0rEjC2s6aiVWyRyskBa0UTbfpqZEQRxIXwjM7rTlA-pt4SKpTw-TkaIbvl1071D4wxgTfNHC9Dx722E/s1600/1.jpg)
![[Image: 2.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6sq42rXqNClmTAPcb-9v-rnEu91H9BAsASc3g7IVb1mTl-rMqOWicy2IuC37PYpvVY9CX_u-pdl-RylRQ0bbhP3UBXPIOQTOxKo-C-3iuvtC5oOb0j7rrw14HVyUlCrrgceZcm1lerj4/s1600/2.jpg)
I deleted the domain from that page, but can remove it by looking at the logo xD!
, Well we noticed that when viewing the source code we get the META tag
"Joomla - Open Source Content Management" which does not tell us which
version is, but possibly that joomla is a current or almost current
version, I mean by the phrase is checked, but do not guarantee that it
can easily delete or change, but if you want to know that version can
probably be used CMSEXPLORER program that is included in the distributions of Backtrack. Now try to create a user, we have to look the part of users to check in, write in the browser:
, Well we noticed that when viewing the source code we get the META tag
"Joomla - Open Source Content Management" which does not tell us which
version is, but possibly that joomla is a current or almost current
version, I mean by the phrase is checked, but do not guarantee that it
can easily delete or change, but if you want to know that version can
probably be used CMSEXPLORER program that is included in the distributions of Backtrack. Now try to create a user, we have to look the part of users to check in, write in the browser:
www.site-joomla.com/index.php?option=com_users&view=registration
![[Image: 3.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWXz-kPPoH3xi00m4OXyxwUKtFBWgKu8eIofxRae8x5oB1h3oXJ7-5yT2wuQMQPyHvVShub-anv924siPVoGYuQCLeWyvB7w37cJ7PbSf4IMKW8YDJ0IgrnN-QtRbFAlojCsI5CtZ2lH8/s1600/3.jpg)
As I will fill out forms with my details and apropĆ³sito erre now to
write my password, I did this so that when I sent the parameter register
(which then inject) to stay engraved in our recording session, and put
an existing mail and in the end they send you a registration
confirmation link now inject our parameter missing in the registration
form in order to exploit the vulnerability happy.
Press F12 to open Firebug and then develop the steps of the image, and now we put our little code that is almost at the beginning of this post.
![[Image: 4.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXXwUFagcnqMXUHtA4kKxbLw5WOkXGj4VVM91NCWJgHDqWAOX-4rfmhR1hn30ZrNbGPUSVwWLlZkwaDBp3LXsDyGxZSN5Mly5OvoqH97QZHlBfoHuMQCupxZgiiuWNwHnWzsAmLSDn15Y/s1600/4.jpg)
If they realize this code between the tags "<dd> </ dd>" is
that this version of joomla use these types of labels, then maybe find a
joomla without these tags, in this case have to do as its structure and
attached to it, to avoid failures xD! with respect to the code, if they
realize the "value = 7", that tells us that we be in the Administrators
group and not the Super Users group is the value 8.
![[Image: 5.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7tx_R1b0kvq3etdtkzZgvPWd-ZIsp_w7wih7hftd1mX5ShlE0_Z_dQFSXIZsVp33Nx4klFmNVtLY94c85ZCOgV6g7FUEgksXKSUGGyZ7eDvs-UIqN6S9eARL9zOyybf-ZU37P5EtGMjs/s1600/5.jpg)
Well we press F12 or minimize the firebug that we no longer use, and do the steps in the image.
![[Image: 6.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfWuaonlrBPHH0kfUyYExLRDzXusWsTKBM5Zq_d-kW53rQaDJV4CflcwvPa3tytTbMOdXMGVVconXG0ehJIpTsfve3NHgg8th1oP_5saQrOFUYBM9yI-kElgExSUtPeT5kjpFPQTRHPtg/s1600/6.jpg)
After checking in we get a message that says
verify and confirm the registration in our email provided, and if not found in the area
revizenlo post spam.
![[Image: 7.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu5qm-dW3uCv9Pu1B6vWIvcFDJwdAuN02yNEC1WRDFHttmji9IshciZYfR1nFCMX1G0qHvCfWZTkHqAntjORodir-_VnlDl5f8-7Q4K8EdcdjcrLfk_R-7xKjkF3MQ5xs4vSNsgEXfZ94/s1600/7.jpg)
www.site-joomla.com/administrator and we login.
![[Image: 8.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCKZH5whO8Cmg82v1_Cd8YT07Gv-tBW0FbnmrPg2GTMBB2ChOaMAOecutEerDPzYmdwbVx70NbvIu_4OWIG7bmFHbA4EhZtyDAm3IIIaUDH6i_Cl4Qdx4rBwYzjGki60Cam4LL9uIyTro/s1600/8.jpg)
Come see in the image of the joomla version is 2.5.1, well almost now
as we said in the beginning and we can also see our administrator user
that is xD! Now is raise our shell.
This video demonstrate how to upload shell on our Joomla sites.
Well they have their shell on the server can do whatever they want,
maybe not Rootear the server, and if maybe there is a Local Root can
make symbolic links (symlink) files to other users who are on the same
server or nose, and you will see.
Post-Data:
- I forgot, we can also inject the code to escalate privileges in
joomla using Tamper Data (addon for firefox), you just have to add one
more parameter to change when sending data.
Exploit Code for Use with Tamper Data :: jform [groups] [] = 7
then you upload a picture, to see how is the question.
Post a Comment