Choose an .php file. Upload.
The test.php file will be upload to the server at the location: media/com_jnews/uploadtest.php
Please note that there is a simple bug here too, instead of saving the uploaded file into the upload folder, the component just attach the word *upload at the beginning of the file name.
That’s all folks. Just need to issue an request to your webshell.
Here you can upload a simple zip file with a malicious php file inside:
The content of the zip file needs to respect the following structure:
Note: The index.html file needs to be inside the zip file too.
That’s it. Got your shell, just need to use it under /media/com_jnews/templates/<zip-folder>/<shell.php>
Some functions of Jnews allows you to upload files to the server, however they’re filtered by their extension.
The code located at lib.upload.php is responsable for this validation and it’s vulnerable. You can bypass it by simple upload a .htaccess file with php code inside or simple use the .php5 extension.
So let’s check the code below:
Default value of $exts is [“php”,”phtm”,”phtml”,”php3,”inc”,”exe”,”dmg”]
Since jnews are using an blacklist filter approach, you can simple upload a file that doesn’t match with any of the extensions above.