# Exploit Title: NoNumber Framework Joomla! Plugin Multiple Vulnerabilities
# Discovery Date: 10 October 2011
# Reported Date: 11 October 2011
# Patch Date: 17 October 2011
# Release Date: 17 October 2011
# Author: jdc
# Software Link: http://nonumber.nl
The nnframework plugin by NoNumber! contains multiple vulnerabilities. This plugin is shipped with all NoNumber extensions:
* Advanced Module Manager
* AdminBar Docker
* Add to Menu
* Articles Anywhere
* What? Nothing!
* Timed Styles
* Modules Anywhere
* DB Replacer
* Content Templater
* CDN for Joomla!
* Cache Cleaner
* Better Preview
All vulnerable extensions have been patched as of 17 October 2011.
Local File Inclusion:
NOTE: the ending ".inc.php" is required.
Open Proxy/Open cURL/Shell Upload
Using the following data structure, it is possible to pass arguments directly into cURL:
Whatever the plugin loads via cURL gets written out as data under the domain of the victim site.
It is also possible to gain remote access:
1. Set up a remote page that sets the following cookie:
2. Force victim site to write a cookie file:
3. POST a single variable containing REAL shellcode to http://[victim]/shell.php