Problem: during a penetration test i faced a buggy Joomla installation. Joomla version was 3.6.4 and was vulnerable to CVE-2016-8869 . I created an administration account using metasploit module but wait !?
I couldn’t upload a WebShell . i used .pht method with no luck . i had no access to template source files.
i know that only SuperAdmin account can edit .php files directly in templates section. but i was administrator , not SuperUser.
An administrator account cannot create superuser directly. ( the role Super user is not available for selecting ).
After an hour of working , i find a solution for adding a SuperUser account directly from administration panel (without database interaction directly).
Go to Users > Options >
- enable user registration
- set new user registration group to > Super Users
- set Guest User Group to > Super Users
- disable send password
- set New User Account Activation to > None
- disable mail notification to administrator and save
After modifying user options , logout then register new user from below link .
After submitting the form you will face below error, ignore it.
Now login with registered username then you will be SuperUser and you can do whatever superuser can do . after creating super user undo modifications.
and now you have full access to template source files and can use this method for uploading a WebShell.
This method fixed in Joomla 3.6.5. Feel free and leave your comment.