Some of my CVEs :
- CVE-2020-10238: Incorrect Access Control in com_templates (This blog) CVSS 2.0:5.0 and CVSS 3.x :7.5
- CVE-2020-10239: Incorrect Access Control in com_fields SQL field CVSS 2.0:6.5 and CVSS 3.x :8.8
- CVE-2020-10241: CSRF in com_templates image actions CVSS 2.0:6.8 and CVSS 3.x :8.8
- And more.
I have participated in my project company to pentest the customer’s website. And this website used Joomla CMS.
Before starting, the definition of some concepts:
Common Vulnerabilities and Exposures (CVE) is a dictionary-type list of standardized names for vulnerabilities and other information related to security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. The goal of CVE is to make it easier to share data across separate vulnerable databases and security tools.
CMS stands for Content Management System, to help manage and edit content easily. The contents could be electronic news, newspapers or photo media, videos, and other materials.
CMS saves time management, operating and maintenance costs, so many companies use it now. Not only companies use, but also blogs are being launched in small numbers, and they choose to use CMS to easily build websites and manage content, in addition to saving money, website construction fee.
Among them, Joomla is a part, after WordPress.
When testing this website, they used Joomla version 1.5. Multi-CVE about it, but not to be able to exploit. I decided to scan Joomla’s components. This website used AllVideos Reloaded component, which is SQL injection vulnerable(I find out it by manual because the tool’s response was 200 OK but it is 404 not found. From SQLi, I got the username and password. But, the password is md5().salt.Fortunately, it can be brute force.
I used website online hash to get to find out collision about the manager and super-admin rights. With the manager’s right, you only create any articles. With super-admin right, I need to pay it by bitcoin, but I didn’t have. I decided to with the manager’s right to bypass upload the shell.
You know, bypass to upload shell doesn’t easily in CMS But, I still decided to bypass. By searching google: “PHP extension”, but it did work. I have an idea: add a dot “.” after file. Oh, successfully.
I wanted to get CVE, but when I find to a new version, the issue was fixed and it was assigned CVE (CVSS-v2 6.8). What a pity!
I still find out to bypass in the first workday after Lunar new year, but it didn’t work. And, I know, I choose the wrong way. I chose a new way to privilege escalation.
Joomla has 3 admin rights: manger, admin and super admin. If you are super admin, you can do anything. In this case, the admin account with limited permissions.
In com_template allows super admin add, delete, edit template’s code from website inteface such as:
Affected Installs <= 3.9.15.
Link access :
When I logged in with an admin account such as:
Two interfaces are different.
I have an idea: Using the admin account to edit index.php file to RCE.
By capturing request chỉnh with index.php file editing using super-admin as:
Add some code PHP shell into index.php file:
Save button and use Burpsuite to capture this request:
To see easily, I delete index.php’s content and only keep PHP code shell :
Yellow highlight is the super admin ‘s token. Joomla used a token to prevent CSRF.
Keep this request in Bupsuite Repeater mode.
Logged in with the admin account.
To get admin’s token :
Edit button and use Burpsuite to capture this request:
Yellow highlight is the admin’s token.
Replacing super admin’s token by admin’s token and edit URI:
Foward and Result :
Done, the PHP code shell was saved. Where is my shell?
Simply, you go to the homepage :
When I found it, I reported it to JSST. And the last result:
Automation, I wrote a tool to exploit it easily :
CVEs have been assigned:
Source for the concept :