Posted on 2 Comments

Joomla HTTP Header Unauthenticated Remote Code Execution exploit

Good Evening friends. Today we will see how to exploit remote machines with Joomla installed on them. Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. We also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. Joomla has recently released a patch for this vulnerability. Now let us see how to use the Joomla HTTP Header Unauthenticated Remote Code Execution exploit. Start Metasploit. and search for the exploit as shown below.

joomla_http1

Type command “show options to see the required options.

joomla_http2

Set the remote IP address and set the payload as shown below.

joomla_http3

Type command “check” to see whether the target is vulnerable.

joomla_http4

Next type command “exploit” to execute the exploit. You will get the remote system’s shell as shown below.

joomla_http5

2 thoughts on “Joomla HTTP Header Unauthenticated Remote Code Execution exploit

  1. […] in software world is that it becomes a target for hackers.  We have just recently seen how to exploit some recent vulnerabilities in Joomla. It would be pretty helpful if the users or testers know the vulnerabilities in their Joomla CMS […]

  2. […] our target’s exact version. For example, take Joomla, a popular CMS. Recently we have seen Joomla HTTP Header Unauthenticated Remote Code Execution exploit which affects Joomla versions 1.5.0 to 3.4.5. We have also seen another exploit  “Joomla […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.