Hack CompojoomComment? Ok!

Posted in Joomla!
2010-08-04 23:55:33 +0000 UTC

Compojoom, developers of CompojoomComment, opened up a contest to hack their comment component. After being alerted to the contest by my good friend Lafrance, I took a peek and had a working XSS exploit within 16 minutes, and after a bit of refining I managed to really mess things up. ;)

My first major score occurred using malformed BBCode using mismatched url and img tags. Using this I injected 2 new attributes into a link: style and onmouseover. Giving the link a large size, absolute positioning and a javascript trigger I made the contest site redirect back here.

After the hackme site was no longer pointing to my domain, I started poking around at any type of request I could find. This lead to a not-so-impressive reflective XSS in the search function. Score 2, but upon further investigation I found a way to include local files for execution. Lucky for Compojoom /proc/self/environ was blocked (though /etc/passwd was not).

Up next came a simple scan of the javascript for the site. In there I noticed some funtions related to deleting posts. Using a debug console I executed the script to delete all the comments, and the ajax code happily removed all the comments from the page. They came back upon reload, so I checked out the url the ajax request fetched, changed the POST data to GET, and attached it as an image to a comment. After an email to the admin to check the page for that post, he confirmed that my CSRF attack had indeed worked. :)

I was chatting with a friend about the contest (wassup DrDigital) and he jokingly suggested that I go for the first 5. My Discordian instincts kicked in and I figured, what the hell - let's give it one more go. I went back to my first attack, the malformed BBCode, and wondered if I'd exhausted all my options. I started poking around and bam - I managed to get another code injection! This time it took a set of 3 different BBCodes (url, img and color) to be able to inject html attributes, but I once again had the contest site pointing back at mine.

I Win