1               ##########################################             1
0               I'm Sid3^effects member from Inj3ct0r Team             1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
Name :  Joomla com_mysms Upload Vulnerability
Date : july 10,2010
Critical Level  : HIGH
vendor URL :http://www.willcodejoomlaforfood.de/
Author : Sid3^effects aKa HaRi
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description
MySMS is standing for "Simple sms component" for Joomla. The MySMS component is now available for Joomla 1.0.x ( com_mysms-0.9.4.zip ) and for Joomla 1.5.x series ( use com_mysms-1.5.10.zip ).
 
This component supports following sms gateway provider today: w2sms, teleword, smskaufen, smscreator, sms77, sms4credits, mobilant, mesmo, clickatell, aspsms, nohnoh, mexado, innosend, suresms,compaya and hardwired, mobilenl, sloono, smsat and wannfind, agiletelecom, smsviainternet, infobip, at&t, smscom, coolsms, smsglobal, aruhat, massenversand, smstrade.
#######################################################################################################
Xploit: Upload Vulnerability
 
Step 1: Register first :D
 
Step 2: Goto your profile "Mysms" option
 
Step 3: The attacker can upload shell in the "Import phonebook" option and it doesnt validate any file format so upload your shell
DEMOU URL :http://server/?option=com_mysms&Itemid=0&task=phonebook
 
Step 4: your shell is uploaded and now you do ur job ;)
 
#######################################################################################################
# 0day no more
# Sid3^effects