Exploit for Improper Access Control in Widgetfactorylimited Jce CVE-2026-48907

## https://sploitus.com/exploit?id=449EB399-8D3C-5528-B03B-B58DC4645B9D
MASTA CVE-2026-48907 Scanner
  Joomla! JCE < 2.9.99.5 Unauthenticated Remote Code Execution (RCE) Scanner


---

## 🚨 LEGAL DISCLAIMER & ETHICAL USE

> **This tool is strictly for AUTHORIZED SECURITY TESTING on assets you OWN or have EXPLICIT WRITTEN PERMISSION to test.**

By using this software, you agree to the following terms:

1. **Authorized Use Only** — Scanning, exploiting, or uploading files to systems without the owner's explicit written consent is **ILLEGAL** in most jurisdictions.
2. **Intrusive by Design** — This tool performs **active exploitation**, including uploading Proof-of-Concept (POC) PHP files to the target server (`/tmp/` and `/images/`). It is not a passive scanner.
3. **No Liability** — The author (`Hussein Mohamed / masta ghimau`) and contributors **accept absolutely NO liability** for any misuse, damage, legal action, or criminal prosecution resulting from the use of this tool.
4. **You Are Solely Responsible** — Any illegal or unauthorized usage is entirely **your own responsibility**. If you use this tool without permission, you alone face the legal consequences.
5. **Cleanup Obligation** — Any POC file uploaded during a successful run **must be manually deleted** by you immediately after verification. The tool will not auto-delete them.

**If you do not understand these terms, or do not have permission to test the target, DO NOT run this tool.**

---

## ⚠️ Notice: Intrusive High-Accuracy Testing

To achieve **CONFIRMED** accuracy (not guesswork), this tool cannot rely solely on passive version fingerprinting. JCE often hides its version or uses generic file paths. Therefore, the scanner executes **intrusive, real-world exploit vectors**:

| Passive (Safe) | Intrusive (This Tool) |
|---|---|
| Headers / HTML meta tags | Active file upload via profile import |
| Static asset probing | Upload via JCE Browser plugin + rename |
| Guess version from XML | **Live** verification of PHP execution (math check) |

**Use wisely.**
- intrusive checks = **definitive proof** of vulnerability.
- intrusive checks = **evidence** left on the target disk.
- Always ensure you have **explicit authorization** before running this scanner.

---

## 📋 Overview

**MASTA CVE-2026-48907 Scanner** is a multi-threaded, Excel-reporting exploit scanner that detects the critical **JCE Editor** unauthenticated RCE vulnerability (patched in **JCE 2.9.99.5**). It implements both known public vectors discovered by security researchers:

- **Vector 1 (Profile Import → `tmp/`)**: Discovered by *ywh-jfellus*. Uploads a PHP payload through the profile import function. The file lands in Joomla's `tmp/` directory without validation.
- **Vector 2 (Browser Plugin → `images/`)**: Discovered by *BIBIL_0DAY*. Imports a permissive editor profile, uploads via the JCE Browser RPC endpoint, and attempts rename bypass (`.gif` → `.php`).

The tool uses a **base64-encoded math challenge** (`MATHOK:{random}`) to eliminate false positives and confirm that PHP actually executed on the target.

---

## ✨ Features

- **Dual Exploit Vectors** — Tests both `tmp/` profile import and `images/` browser upload chains.
- **False-Positive Proof** — Uses a randomized math-check payload encoded in base64. Only live code execution confirms `VULNERABLE`.
- **Upload-Only Detection** — Even if PHP execution is disabled, the tool reports `VULNERABLE_UPLOAD_ONLY` if a file was successfully written to disk.
- **Concurrent Scanning** — ThreadPoolExecutor for bulk target assessment.
- **Rich Terminal UI** — Beautiful ASCII/Rich dashboard with per-target color coding.
- **Excel Reporting** — Auto-generated `.xlsx` reports with color-coded status cells.
- **WAF Detection** — Identifies Cloudflare, Incapsula, Sucuri, and ModSecurity blocks.
- **Zero External Exploit Dependencies** — Pure Python standard library (`urllib`) + optional `openpyxl`/`rich`.

---

## 📊 Attack Flow Graph

```mermaid
flowchart TD
    A[🚀 Start: Load Targets] --> B[🔗 Normalize URL]
    B --> C{🔍 Probe Joomla! Fingerprint}
    
    C -->|❌ Not Found| D{🔍 Probe JCE Component}
    C -->|✅ Found| D
    
    D -->|❌ Not Found| E[🚫 Status: NOT_JOOMLA]
    D -->|✅ Found| F{📋 Version Check}
    
    F -->|🔒 >= 2.9.99.5| G[🛡️ Status: PATCHED]
    F -->|🔓 |🚫 Token Missing| I[⚠️ Status: Likely PATCHED / Incompatible]
    H -->|✅ Token Found| J{💉 Vector 1:Profile Import to /tmp/}
    
    J -->|📤 HTTP 200 Upload| K[🔎 Verify /tmp/{random}.xml.phpBase64 Math Check]
    K -->|🎯 RXST MatchMATHOK Confirmed| L[💀 Status: VULNERABLEVector: V1]
    K -->|📄 File ExistsNo Execution| M[⚡ Status: VULNERABLE_UPLOAD_ONLY]
    J -->|❌ Failed| N{💉 Vector 2:Browser Chain via /images/}
    
    N -->|📥 Import Permissive Profile| O[📤 Upload PHP VariantsGIF Wrap + Rename Bypass]
    O -->|🎯 RXST MatchMATHOK Confirmed| P[💀 Status: VULNERABLEVector: V2]
    O -->|📄 Upload Only| Q[⚡ Status: VULNERABLE_UPLOAD_ONLY]
    O -->|❌ All Failed| R[✅ Status: SAFELikely Patched / Hardened]
    
    style L fill:#ff0000,color:#fff
    style P fill:#ff0000,color:#fff
    style M fill:#ff8c00,color:#fff
    style Q fill:#ff8c00,color:#fff
    style G fill:#90ee90
    style I fill:#ffd700
    style E fill:#d3d3d3
    style R fill:#87ceeb
    
    G --> S[📊 Generate Report]
    E --> S
    I --> S
    L --> S
    M --> S
    P --> S
    Q --> S
    R --> S
    S --> T[📁 Export Excel + Console Summary]
📸 Screenshots
1. Tool Output (Console)

Tool Output Screenshot

Example: Scanning multiple NS Government portals with color-coded status output.

2. Excel Report

Excel Report Screenshot

Example: Auto-generated .xlsx with styled cells, confidence levels, and remediation advice.

🛠️ Installation
Requires Python 3.8+.

# Clone the repository
git clone https://github.com//masta-cve-2026-48907.git
cd masta-cve-2026-48907

# (Optional but recommended) Install reporting dependencies
pip install openpyxl rich
Dependencies
Package	Required	Purpose
python3	✅ Yes	Core runtime
openpyxl	❌ Optional	Excel .xlsx report generation
rich	❌ Optional	Beautiful terminal tables & panels
🚀 Usage
Single Target
python3 masta-cve-2026-48907.py -u https://target.com/joomla
Bulk Target List
python3 masta-cve-2026-48907.py -l targets.txt -t 10
Pipeline Mode
cat urls.txt | python3 masta-cve-2026-48907.py -t 15
With Burp / Proxy
python3 masta-cve-2026-48907.py -u https://target.com -p http://127.0.0.1:8080
Debug Mode (Troubleshooting)
If a target you know is vulnerable returns SAFE, use debug to see step-by-step logs:

python3 masta-cve-2026-48907.py -u https://jkrns.ns.gov.my -d -v
All Options
  -u, --url        Single target URL
  -l, --list       File containing URLs (one per line)
  -o, --output     Excel output path (default: reports/masta-cve-2026-48907-report-{timestamp}.xlsx)
  -t, --threads    Workers (default: 5)
  -p, --proxy      Proxy, e.g. http://127.0.0.1:8080
  --timeout        Timeout in seconds (default: 12)
  -v, --verbose    Verbose per-target card output
  -d, --debug      Debug mode: log exploit chain steps
  --no-color       Disable ANSI colors
🎯 How It Works
Fingerprinting

Detects Joomla! via headers, generator meta tags, static assets (/media/system/js/core.js), admin login pages, and XML manifests.
Detects JCE via /plugins/editors/jce/jce.xml, /administrator/components/com_jce/jce.xml, and static assets.
Version Parsing

Extracts JCE version from exposed XML manifests.
Compares against 2.9.99.5. If equal or higher, target is reported as PATCHED.
CSRF Token Extraction

Extracts the Joomla CSRF token from the homepage via multiple regex patterns (csrf.token, hidden inputs, meta tags).
Vector 1: Profile Import (tmp/)

POSTs a malicious .xml.php (random filename) to index.php?option=com_jce&task=profiles.import.
If HTTP 200 is returned, the file is assumed written.
Verifies execution by accessing https://target.com/tmp/{random}.xml.php and checking the base64 math response.
Vector 2: Browser Chain (images/)

Checks cpanel.feed for unauthenticated JCE browser access.
Imports a permissive profile allowing PHP uploads.
Uploads multiple variants (.php, .phtml, .php5, .php7, .gif wrapped) via the Browser RPC endpoint.
Attempts PHP rename via JSON-RPC if GIF upload succeeds.
Verifies execution at https://target.com/images/{random}.php.
Classification

VULNERABLE — PHP executed the math check (MATHOK confirmed).
VULNERABLE_UPLOAD_ONLY — File was uploaded to disk but PHP execution was blocked.
PATCHED — JCE version ≥ 2.9.99.5 or missing CSRF form.
SAFE — JCE found but active exploitation failed.
BLOCKED_BY_WAF — Firewall intervened during verification.
NOT_JOOMLA — Neither Joomla! nor JCE detected.
📁 Report Output
An Excel report is auto-generated in the reports/ directory. Each row includes:

Target URL
Joomla! / JCE detected status & versions
Final Status (VULNERABLE, PATCHED, SAFE, etc.)
Confidence Level
Proof URL (if shell confirmed)
Uploaded Filename (for manual cleanup)
Remediation Action
🧹 Mandatory Cleanup
⚠️ This scanner intentionally uploads files to prove exploitability.

If the scan returns VULNERABLE or VULNERABLE_UPLOAD_ONLY, you MUST manually delete the uploaded file(s) from the server:

/tmp/masta{random}.xml.php
/images/masta{random}.php (or .phtml, .php5, .php7)
The tool prints these filenames at the end of the scan. Do not leave POC files on production servers.

📜 License & Author
Author: Hussein Mohamed (masta ghimau)
CVE: CVE-2026-48907

This project is provided for educational and authorized security testing purposes only.

 If you use this tool illegally, you are on your own. Respect the law. Test responsibly.  ```