RamadhanAmizudin · October 27, 2016 01:27
diff --git a/gistfile1.txt b/gistfile1.txt
 kalau tengok commit joomla 3.6.4, akan prasan ada method yang dibuang => https://github.com/joomla/joomla-cms/commit/2983d196840a7da2abf62c00ac2f3ee4864179b4

 https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/controllers/user.php#L293 Function Register yang dibuang dalam joomla 6.3.4
 https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/controllers/user.php#L346 basically semua dari post data dihantar ke user $model->regiser
 https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/models/registration.php#L381 $model->register method
 https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/models/registration.php#L390-L393 reassign variable $temp(which is data dari user.php#L346) ke $data[$key] = $value
 https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/models/registration.php#L409 dia bind semua $data ke $user object
 https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L595 $user->bind() method
 https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L595 basically dia amik smua array tu assign ke current/user object punya properties
 https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/models/registration.php#L420 dia save
 https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L706 $user->save() method
 https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L748 dia check current request user ni dalam group core.admin tak
 https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L752-L755 rehash function, xda apa pun boleh abaikan
 https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L752-L755 ni part yang vulnerable. condition untuk exploit = current user mesti bukan core.admin dan bukan tengah rehash super admin
 https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L766-L776 dia check kalau $this/current object ada 'groups' properties ke tak, pastu kalau ada dia check ada tak group core.admin, kalau ada dia reject..

 so vulnerability mcm privilege escalation, kita hantar post data 'groups[]=' masa register, dan newly created user akan ada dalam group yg kita assign. 

 rip.
	kalau tengok commit joomla 3.6.4, akan prasan ada method yang dibuang => https://github.com/joomla/joomla-cms/commit/2983d196840a7da2abf62c00ac2f3ee4864179b4

	https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/controllers/user.php#L293 Function Register yang dibuang dalam joomla 6.3.4
	https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/controllers/user.php#L346 basically semua dari post data dihantar ke user $model->regiser
	https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/models/registration.php#L381 $model->register method
	https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/models/registration.php#L390-L393 reassign variable $temp(which is data dari user.php#L346) ke $data[$key] = $value
	https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/models/registration.php#L409 dia bind semua $data ke $user object
	https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L595 $user->bind() method
	https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L595 basically dia amik smua array tu assign ke current/user object punya properties
	https://github.com/joomla/joomla-cms/blob/3.6.3/components/com_users/models/registration.php#L420 dia save
	https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L706 $user->save() method
	https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L748 dia check current request user ni dalam group core.admin tak
	https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L752-L755 rehash function, xda apa pun boleh abaikan
	https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L752-L755 ni part yang vulnerable. condition untuk exploit = current user mesti bukan core.admin dan bukan tengah rehash super admin
	https://github.com/joomla/joomla-cms/blob/3.6.3/libraries/joomla/user/user.php#L766-L776 dia check kalau $this/current object ada 'groups' properties ke tak, pastu kalau ada dia check ada tak group core.admin, kalau ada dia reject..

	so vulnerability mcm privilege escalation, kita hantar post data 'groups[]=' masa register, dan newly created user akan ada dalam group yg kita assign.

	rip.