####################################################################

# Exploit Title : Joomla Alberghi Components 2.1.3 SQL Injection / Remote File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 27/02/2019
# Vendor Homepage : alberghi.joomlaitalia.com
# Software Download Links : alberghi.joomlaitalia.com/files/alberghi_2_1_3_SR.zip
joomlaos.de/option,com_remository/Itemid,41/func,finishdown/id,2566.html
# Software Information Links : 
joomlashow.it/directory/turismo/hotel-alberghi/
joomlaportal.ru/news/extensions/components/1538-komponent-alberghi-2-1-3
joomla.info.tr/joomla-dersleri/alberghi-213
artio.net/de/e-shop/joomla-extensions/joomsef/joomsef-3-extensions/alberghi-joomsef-3-extension
# Software Affected Versions : 2.1.1 and 2.1.3 and other previous versions
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium/High
# Google Dorks : inurl:"/index.php?option=com_alberghi"
# Vulnerability Types : CWE-89 [ Improper Neutralization of Special Elements
used in an SQL Command ('SQL Injection') ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# Old Similar CVE : CVE-2008-1459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1459
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************
Joomla Alberghi is used for Hotels and Tourism websites service especially in Italy.

####################################################################

Information about CVE Common Vulnerabilities and Exposures => 
**********************************************************
Note : CVE stands for Common Vulnerabilities and Exposures
[Old Similar ] CVE doesn't mean copy-paste but they are original written by author in more details.
It is a reference and proof of concept code - cve-identifier number - or whatever you call it. 
For example ; This Joomla exploits/vulnerabilities are very real and not fake. 
We support your products and software - 
so we don't want no vulnerabilities and we want secure internet.
It is designed to allow vulnerability databases and other capabilities to be linked together, 
and to facilitate the comparison of security tools and service.
According to the CVE website, a vulnerability is a mistake in software code that provides 
an attacker with direct access to a system or network.
It could allow an attacker to pose as a super-user or system administrator with full access privileges.
If an attacker gives somebody hacker's CVE doesn't mean that this is copy-paste exploit.
CVE lists only publicly known vulnerabilities and exposures, which means 
skilled hackers likely know about them anyway.It takes much more work for an organization
to protect its networks and fix all possible holes than it takes for a hacker to find 
a single vulnerability, exploit it, and compromise the network.
There is growing agreement in the infosec community that sharing information is beneficial. 
This is reflected in the fact that the CVE Board and CNAs include key infosec organizations.
CVE is a list of information security vulnerabilities and exposures that aims to provide
common names for publicly known problems. The goal of CVE is to make it easier to 
share data across separate vulnerability capabilities (tools, repositories, and services) 
with this "common enumeration." Please visit cve.mitre.org/about/faqs.html for more information.

####################################################################

# According to the CVE-2008-1459 => 
********************************
SQL injection vulnerability in the Alberghi (com_alberghi) 2.1.3 and earlier component

for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands 

via the id - itemid - catid - startpage parameters in a detail action to index.php.

####################################################################

# Impact : 
***********
* Joomla Alberghi Components 2.1.3 [ and other versions ] component for Joomla is prone to an SQL-injection 

vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit l

atent vulnerabilities in the underlying database. A remote attacker can send a specially crafted request t

o the vulnerable application and execute arbitrary SQL commands in application`s database.

Further exploitation of this vulnerability may result in unauthorized data manipulation.

An attacker can exploit this issue using a browser.

* On the other hand this software is prone to a vulnerability that lets attackers upload arbitrary files. 

The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer - sites or servers.

this can result in arbitrary code execution within the context of the vulnerable application. 

###################################################################

# SQL Injection Exploit : 
**********************
/index.php?option=com_alberghi&%253BItemid=[SQL Injection]

/index.php?option=com_alberghi&task=detail&Itemid=[ID-NUMBER]&id=[SQL Injection]

/index.php?option=com_alberghi&task=viewAlberghi&Itemid=[SQL Injection]&letter=All

/index.php?option=com_alberghi&Itemid=&task=viewcategory&catid=[SQL Injection]

/index.php?option=com_alberghi&task=detail&Itemid=[ID-NUMBER]&catid=[ID-NUMBER]&id=[SQL Injection]

/index.php?option=com_alberghi&task=viewcategory&Itemid=&catid=[ID-NUMBER]&limitstart=[ID-NUMBER]&startpage=[SQL Injection]

####################################################################

# Vulnerable Source Code : [ upload.alberghi.php ]
*********************************************

<html>
<head>
<title>Caricamento / Upload</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#ffffff">
</body>
</html>
<?php

// Check if logged in
define( "_VALID_MOS", 1 );

$mode = $_GET['mode'];
if ( $mode == "" ){
	$mode="stories_root";
}

$directory = $_GET['directory'];
if ( $directory == "" )
{
	$directory = $_POST['directory'];
	$fileupload = $_POST['fileupload'];
}

$userfile2=(isset($_FILES['userfile']['tmp_name']) ? $_FILES['userfile']['tmp_name'] : "");
$userfile_name=(isset($_FILES['userfile']['name']) ? $_FILES['userfile']['name'] : "");
if ($userfile_name != "") {
	if ($directory!="") {
		if ( $mode == "stories_root" ) {
			$base_Dir = "../../../images/stories/$directory/";
		}else if ( $mode == "alberghi_root" ){
			$base_Dir = "../../../components/com_alberghi/$directory/";
		}
		echo "BASE DIR [ $base_Dir ]";
	} else {
		echo "<script>alert('Seleziona una directory'); document.location.href='upload.alberghi.php';</script>";
	}
	if (empty($userfile_name)) {
		echo "<script>alert('Seleziona un immagine da caricare'); document.location.href='upload.alberghi.php';</script>";
	}

	$filename = split("\.", $userfile_name);

	if (eregi("[^0-9a-zA-Z_]", $filename[0])) {

		echo "<script> alert('Il nome del file deve contenere solo caratteri alfanumerici senza spaziature - File name must have only alphabetical characters with no spaces.'); window.history.go(-1);</script>\n";
		exit();
	}

	if (file_exists($base_Dir.$userfile_name)) {

		echo "<script> alert('Una immagine chiamata $userfile_name esiste gia - Image $userfile_name already exists.'); window.history.go(-1);</script>\n";
		exit();
	}


	if ((strcasecmp(substr($userfile_name,-4),".gif")) && (strcasecmp(substr($userfile_name,-4),".jpg")) && (strcasecmp(substr($userfile_name,-4),".png"))) {
		echo "<script>alert('Il file deve essere un gif, png o jpg - The file must be a gif, png or jpg'); window.history.go(-1);</script>\n";
		exit();
	}


	if (eregi(".pdf", $userfile_name) || eregi(".doc", $userfile_name) || eregi(".xls", $userfile_name) || eregi(".ppt", $userfile_name)) {
		if (!move_uploaded_file ($_FILES['userfile']['tmp_name'],$media_path.$_FILES['userfile']['name']) || !chmod($media_path.$_FILES['userfile']['name'],0777)) {

			/*echo "<script>alert('Caricamento di $userfile_name fallito'); window.history.go(-1);</script>\n";*/
			exit();
		}
		else {

			echo "<script>alert('Caricamento di $userfile_name avvenuto con successo - File $userfile_name has been successfully uploaded'); window.history.go(-1);</script>\n";
			exit();
		}
	} elseif (!move_uploaded_file ($_FILES['userfile']['tmp_name'],$base_Dir.$_FILES['userfile']['name']) || !chmod($base_Dir.$_FILES['userfile']['name'],0777)) {
		/*echo "<script>alert('Caricamento di $userfile_name fallito'); window.history.go(-1);</script>\n";*/
		exit();
	}
	else {

		echo "<script>alert('Caricamento di $userfile_name avvenuto con successo - File $userfile_name has been successfully uploaded'); window.history.go(-1);</script>\n";
		exit();
	}


}
?>
<?php echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?".">"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Carica un file</title>
<style>
.button {

  color            : #666666;
  border           : 1px solid #666666;
  background-color : #ffffff;
  margin-top       : 0px;
  font-family      : arial, helvetica, sans-serif;
  font-size        : 9px;
  height           : 10px
  height           : 10px;
  width            : 140px
  width            : 140px;
}
.inputbox {
font-size        : 10px;
border           : 1px solid #666666;
  background-color : #ffffff;
  margin-bottom    : 5px;
  color			   : #666666;
  padding          : 1px;
}

.title {
  font-family      : Arial, Helvetica, sans-serif;
  font-size        : 12px;
  color            : #004080;
}
</style>
</head>
<body>
<table border=0 topmargin=0 bgcolor=FFFFFF cellpadding=2 cellspacing=0 align="center">
  <form method="post" action="<?php $_SERVER['PHP_SELF'] ?>" enctype="multipart/form-data" name="filename">
    <tr>
      <th class="title"> Carica File / Upload File : <?php echo $directory; ?></th>
    </tr>
    <tr>
      <td align="center">
        <input class="inputbox" name="userfile" type="file" />
      </td>
    </tr>
    <tr>
      <td>
        <input class="button" type="submit" value="Carica / Upload" name="fileupload" />
      </td>
    <tr>
      <td>
        <input type="hidden" name="directory" value="<?echo $directory;?>" />
      </td>

    </tr>
  </form>
</table>
</body>
</html>

####################################################################

# Arbitrary Remote File Upload Exploit :
***********************************
/administrator/components/com_alberghi/upload.alberghi.php

# Vulnerability Error :
*******************
Seleziona un immagine da caricare

alert('Seleziona una directory'); document.location.href='upload.alberghi.php';"; } if (empty($userfile_name)) { echo "

# Directory File Path :
******************
/administrator/components/com_alberghi/[YOURFILENAME].png  .gif  .jpg .jpeg

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################