Joomla Remote File Inclusions RFI Attack
Local file inclusions are very funny. You tell the site what it wants. Awesome! To display the configuration file that contains the database login? No problem.
Want to see the file / etc / passwd, that Joomla is hosted on a Linux machine? You can do this.
Local file inclusions are a common problem in Joomla extensions. Many of them are vulnerable to this attack and some of them are never fixed. This can lead to a cut on the server, which is no fun at all - at least for the system administrator.
A typical vulnerable to LFI URL looks like this:
index.php? com_blablubb option = & item = 2 & view = guestbookpage
Generally, most vulnerable of the parameters are as follows:
To give you an idea of the characteristics affected
URL, I will give you some examples that I found earlier this year:
URL:? Option = index.php & view = com_jejob some_value
Vulnerable parameter: for
URL: index.php option = & view = com_jeajaxeventcalendar some_value
URL: index.php option = & controller = com_jradio some_value
Vulnerable parameter: the controller
((I found this.))
Now let's see how we can use the following:
index.php? option = com_jradio & Controller =../../../../ etc / passwd
In this case, we use the famous Nullbyte that helps us to overcome an inherent limitation in the php script component.
In the previous example, the control parameter is also used for files on local hard drive. This file contains useful information for us.
If you are not familiar with the local file inclusions suggest you consult the tutorial, because I will not explain all the details here.
Now, with the knowledge of a vulnerability in a component of Joomla BIA, we can try to access the Joomla configuration.php. This file contains interesting information.
For many LFIS also reveal the PHP source code, try the following:
index.php? Show & option = com_blabla =../../../ configuration.php
Source displays the file and get access to current database. Now find the PHPMyAdmin login on the same server, and attempts to access this information.
You can now access all the tables in Joomla, and can basically do whatever you want.
Examples of remote file inclusions Joomla
Some Joomla components are also known to include remote file inclusion vulnerabilities. RFI allows us to include files from another server and execure code on the target.
A typical URL looks URLs RFI LFI. In order to get a better sense of how to see the RFI vulnerability of a few seconds, telling examples of
URL: index.php? Option = com_sef & Itemid = & =. mosConfig.absolute.path
Vulnerable parameter: & mosConfig.absolute.path
URL: index.php? Option & task = com_jomestate =.
Vulnerable parameter: the task
When you have found a vulnerability RFI, try to include the PHP shell that is hosted on another box. Once you've downloaded, you can browse all the Joomla files and download them, edit them, delete ...
No Joomla installation is safe when there is an RFI exploit.