Good Evening friends. Today we will see how to exploit remote machines with Joomla installed on them. Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. We also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialization of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. Joomla has recently released a patch for this vulnerability. Now let us see how to use the Joomla HTTP Header Unauthenticated Remote Code Execution exploit. Start Metasploit. and search for the exploit as shown below.
Type command “show options“ to see the required options.
Set the remote IP address and set the payload as shown below.
Type command “check” to see whether the target is vulnerable.
Next type command “exploit” to execute the exploit. You will get the remote system’s shell as shown below.