Share
## https://sploitus.com/exploit?id=9D8EF289-CD29-521C-A5DA-0E5AF14AF08F
# Page Builder CK โ€” fonts.save RCE Probe

**BlackHat Team** proof-of-concept scanner for the Joomla **Page Builder CK** `fonts.save` vulnerability.

> **Author:** [@mrzblackhat](https://t.me/mrzblackhat)  
> **Team:** BlackHat Team  
> **Credits:** Peyman Siyahi ยท MR.PERSIA

---

## Overview

This tool probes Joomla sites running the vulnerable **com_pagebuilderck** component. It abuses the `fonts.save` task to pull a remote payload and writes a web shell under:

```
media/com_pagebuilderck/gfonts/fbi.php
```

RCE is confirmed when the uploaded shell responds with an HTML `` containing **`Fbi Shell`**.

Supports **single-target** and **mass** scanning with threaded workers and instant hit saving.

---

## Requirements

- Python **3.10+**
- `requests`
- `urllib3`

```bash
pip install requests urllib3
```

---

## Usage

### Single target

```bash
python3 poc.py --url https://example.com --insecure
```

### Mass scan

```bash
python3 poc.py --mass targets.txt --insecure --threads 20 --timeout 12
```

`targets.txt` โ€” one URL per line. Lines after `#` are ignored.

### Options

| Flag | Description |
|------|-------------|
| `--url URL` | Scan a single target |
| `--mass FILE` | Scan targets from a file |
| `--insecure` | Skip TLS certificate verification |
| `--threads N` | Worker threads for mass mode (default: `20`) |
| `--timeout N` | HTTP timeout in seconds (default: `12`) |
| `--output FILE` | Save confirmed shell URLs (default: `hits.txt`) |

---

## Output

- **HIT** โ€” shell uploaded and PHP executed; title contains `Fbi Shell`
- **PART** โ€” file written but PHP not executed
- **MISS** โ€” exploit not confirmed

Confirmed shell URLs are appended to the output file immediately.

---

## Project files

| File | Description |
|------|-------------|
| `poc.py` | Obfuscated release build (run this) |
| `hits.txt` | Default output for confirmed shells |

### Rebuild after editing source

```bash
python3 _build_obf.py
```

---

## How it works

1. Fetch homepage and extract Joomla CSRF token
2. `POST` to `index.php` with `option=com_pagebuilderck&task=fonts.save`
3. Remote `font.css` callback triggers shell write to `gfonts/fbi.php`
4. `GET` the shell path and verify `` contains `Fbi Shell`

---

## Disclaimer

This tool is provided for **authorized security research and penetration testing only**.

Unauthorized access to computer systems is illegal. The authors and **BlackHat Team** are not responsible for misuse. Only test systems you own or have explicit written permission to assess.

---

## Contact

- **Telegram:** [https://t.me/mrzblackhat](https://t.me/mrzblackhat)
- **Handle:** `@mrzblackhat`

**BlackHat Team** โ€” Peyman Siyahi ยท MR.PERSIA

---

*Original research and tooling by [@mrzblackhat](https://t.me/mrzblackhat). Do not redistribute modified copies without attribution.*