Exploiting Joomla! com_jesectionfinder Arbitrary File Upload in 2010

Exploiting Joomla! com_jesectionfinder Arbitrary File Upload in 2010
What this paper is
This paper describes a vulnerability in the com_jesectionfinder component for Joomla! versions prior to 1.5. This vulnerability allows an unauthenticated user to upload arbitrary files, including PHP scripts, to the web server. By uploading a malicious PHP script disguised as an image file, an attacker can then execute this script remotely, leading to code execution on the server.
Simple technical breakdown
The com_jesectionfinder component was used to list properties for sale. Users could upload images of these properties. The vulnerability lies in how the component handled file uploads. It did not properly validate file types. An attacker could rename a PHP script to have a common image extension (like .jpg or .gif) and then upload it. The component would then save this file in a predictable location on the server. Because the file was a PHP script, the web server would execute it when accessed via its URL, giving the attacker control.
Complete code and payload walkthrough
The provided paper does not contain any executable code or shellcode. It is a descriptive paper outlining a vulnerability. The "Xploit" section describes the attack vector conceptually.
Conceptual Attack Flow:
- Identify Target: A Joomla! website using the
com_jesectionfindercomponent. - Locate Vulnerable Feature: The "listing-your-section.html" page, which allows users to upload property details and images.
- Craft Malicious File: Create a PHP script (e.g., a simple web shell) and rename it to something like
shell.php.jpg. - Upload File: Use the component's upload functionality to upload the renamed malicious file. The component, due to insufficient validation, accepts the file.
- Determine Uploaded File Path: The paper indicates the uploaded files are stored in
components/com_jesectionfinder/assets/images/. - Remote Execution: Access the uploaded file via its URL (e.g.,
http://server/propertyfinder/components/com_jesectionfinder/assets/images/shell.php.jpg). The web server, if configured to execute PHP files even with double extensions, will interpret and run the PHP code.
Mapping:
- "Upload Vulnerability": The core issue, allowing unauthorized file uploads.
- "changing the extension of your script to .jpg,.bmp,.gif": The technique used to bypass basic file type filtering.
- "DEMO URL : http://server/propertyfinder/listing-your-section.html": The entry point for the upload.
- "DEMO URL : http://server/propertyfinder/components/com_jesectionfinder/assets/images/[evil script.php.bmp.php]": The location where the malicious file is expected to be found and executed.
Shellcode/Payload: The paper does not provide specific shellcode bytes. The "payload" is the attacker-crafted PHP script itself, which would typically contain functions for command execution or reverse shell capabilities.
Practical details for offensive operations teams
- Required Access Level: Unauthenticated user. The vulnerability is in a feature accessible to the public.
- Lab Preconditions:
- A vulnerable Joomla! installation with the
com_jesectionfindercomponent installed. - The component must be configured to allow file uploads for listings.
- The web server must be configured to execute PHP files, even if they have double extensions (e.g.,
.php.jpg). This is a common misconfiguration or a feature of some older PHP handlers.
- A vulnerable Joomla! installation with the
- Tooling Assumptions:
- A web browser to interact with the Joomla! site.
- A simple text editor to create the malicious PHP script.
- A tool like
curlorwgetmight be useful for testing the uploaded payload's execution. - A vulnerability scanner might flag this if it checks for specific component versions and known vulnerabilities.
- Execution Pitfalls:
- File Extension Handling: Some web servers or PHP configurations might strip double extensions or refuse to execute files with non-standard extensions, even if they contain PHP code. The
.php.bmpexample suggests the attacker is relying on the server executing the.phppart. - Upload Directory Permissions: The web server process needs write permissions to the
components/com_jesectionfinder/assets/images/directory. - Component Configuration: The specific version and configuration of
com_jesectionfindermight have additional checks that were not present in the version exploited. - Web Application Firewalls (WAFs): Modern WAFs might detect the upload of files with executable extensions or patterns indicative of malicious scripts.
- File Size Limits: The component or server might impose file size limits that could prevent uploading larger payloads.
- File Extension Handling: Some web servers or PHP configurations might strip double extensions or refuse to execute files with non-standard extensions, even if they contain PHP code. The
- Tradecraft Considerations:
- Reconnaissance: Identifying the target Joomla! version and installed components is crucial. Tools like
Wappalyzeror manual inspection of source code can help. - Payload Staging: For more advanced attacks, the initial uploaded PHP file might be a small "stager" that downloads a larger, more sophisticated payload from an attacker-controlled server.
- Obfuscation: If basic file extension bypasses fail, attackers might attempt to obfuscate their PHP code to evade signature-based detection.
- Reconnaissance: Identifying the target Joomla! version and installed components is crucial. Tools like
Where this was used and when
This vulnerability was published in April 2010. It targets a specific Joomla! component, com_jesectionfinder. While the paper doesn't detail specific real-world incidents, vulnerabilities like this were common in the era of older, less secure web applications and CMS extensions. It's likely this or similar arbitrary file upload vulnerabilities were exploited in the wild against websites using this component.
Defensive lessons for modern teams
- Input Validation is Paramount: Always validate user-supplied data, especially file uploads. This includes checking file extensions, MIME types, and file content.
- Secure File Uploads:
- Store uploaded files outside the web root if possible.
- If stored within the web root, use a separate, non-executable directory.
- Rename uploaded files to random, non-predictable names.
- Configure the web server to prevent execution of files in upload directories.
- Keep Software Updated: Regularly update your CMS (Joomla!, WordPress, Drupal, etc.) and all its extensions and plugins. Vendors patch vulnerabilities, and outdated software is a primary attack vector.
- Principle of Least Privilege: Ensure web server processes have only the necessary file system permissions.
- Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including malicious file uploads.
- Regular Audits and Scans: Conduct regular security audits and vulnerability scans of your web applications.
ASCII visual (if applicable)
+-----------------+ +------------------------------------------------------+
| Attacker's Host |----->| Joomla! Website (Vulnerable com_jesectionfinder) |
+-----------------+ +------------------------------------------------------+
^ |
| 1. Upload Malicious PHP | 2. File saved in:
| (e.g., shell.php.jpg) | /components/com_jesectionfinder/assets/images/
| |
| 3. Request Malicious File |
+-------------------------------+
|
v
+-----------------+
| Web Server |
| (Executes PHP) |
+-----------------+
|
v
+-----------------+
| Attacker gains |
| control/exec. |
+-----------------+Source references
- PAPER ID: 12432
- PAPER TITLE: Joomla! Component com_jesectionfinder - Arbitrary File Upload
- AUTHOR: Sid3^effects
- PUBLISHED: 2010-04-28
- PAPER URL: https://www.exploit-db.com/papers/12432
Original Exploit-DB Content (Verbatim)
--------------------------------------------------------------------------------------
#####################Sid3^effects aKa HaRi##################################
#Greetz to all Andhra Hackers and ICW Memebers[Indian Cyber Warriors]
#Thanks:*L0rd ÇrusAdêr*,d4rk-blu™®,R45C4L idi0th4ck3r,CR4C|< 008,M4n0j,MaYuR
#ShouTZ:kedar,dec0d3r
#Catch us at www.andhrahackers.com or www.teamicw.in
############################################################################
Description :
This component for web-based business that specialises in buying and selling sections nationwide. Our aim is easy to connect the seller of land directly to the buyer, its simple.
User can add your section/property into particular listing option. Listing option manages from the backend. User selects his plan (Listing option) and enters property detail (with images). After use see that preview and make it payment. If user makes it payment successfully than it display automating otherwise his listing not published.
############################################################################
Xploit : Upload Vulnerability
The user can upload there evil script by changing the extension of your script to .jpg,.bmp,.gif in the list your section in the menu .
DEMO URL :
http://server/propertyfinder/listing-your-section.html
Once uploaded goto
DEMO URL :
http://server/propertyfinder/components/com_jesectionfinder/assets/images/[evil script.php.bmp.php]
############################################################################
#Sid3^effects