Unauthenticated Arbitrary File Upload RCE in SP Page Builder for Joomla

This repository is a small, focused exploit PoC consisting of one Python exploit script and one README. The main file, CVE-2026-48908.py, targets CVE-2026-48908, described as an unauthenticated arbitrary file upload leading to RCE in the SP Page Builder Joomla component via the task asset.uploadCustomIcon endpoint. The script is a real exploit, not merely a detector: it programmatically builds a malicious ZIP archive that imitates an IcoMoon icon package, uploads it to the vulnerable endpoint, and attempts to place a PHP webshell into the component’s iconfont directory. Exploit flow: the script normalizes the target URL, creates a requests session with a custom user-agent, generates random names for the icon package and shell, and builds a ZIP containing selection.json, style.css, a fake TTF file, and the PHP payload. It first tries direct upload of a .php shell. If that fails, it retries with a .PHP shell plus a fonts/.htaccess file containing an AddType directive to coerce Apache into executing the uppercase extension. After upload, it parses the JSON response to recover the resulting iconfont directory, constructs the expected shell path, and verifies RCE by requesting the shell with a secret token and a benign echo command. On success, it prints the shell URL and can either execute a single command or enter an interactive shell loop. The payload is a simple PHP webshell gated by a token parameter t. If the token matches, it executes arbitrary system commands supplied via GET parameter c or cmd. This makes the exploit operational rather than a bare PoC, because it provides immediate post-exploitation command execution. A cleanup option is also present; it issues a remote rm -rf command against the uploaded directory as a best-effort removal step. Repository structure is minimal: README.md documents the claimed vulnerability, affected versions (1.0.0 through 6.6.1), impact, and mitigation, while the Python script contains all exploit logic. No external framework is used. The attack vector is web/network-based, and the key fingerprintable target is the Joomla endpoint index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon along with the upload directory media/com_sppagebuilder/assets/iconfont.

This repository is a small standalone Go exploit project for CVE-2026-48908 targeting the Joomla SP Page Builder component (com_sppagebuilder) up to version 6.6.1. The repository contains only three files: a large .gitignore, a README with usage and vulnerability description, and a single Go source file, poc_tot.go, which is the full exploit implementation and likely sole executable entry point. The exploit is not part of a larger framework. It is an operational standalone tool that automates unauthenticated remote code execution by abusing the SP Page Builder asset upload endpoint index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon. The code constructs malicious ZIP archives intended for extraction into the web-accessible media/com_sppagebuilder/assets/iconfont directory or related writable paths. The README and visible code indicate multiple upload/execution strategies: direct PHP extension attempts, directory traversal, archive manipulation, and extension spoofing/case variation. The presence of an Apache .htaccess payload with AddType application/x-httpd-php .PHP suggests the exploit also tries to coerce execution of nonstandard or uppercase PHP extensions. The embedded payload is a minimal PHP webshell generated in buildZip(). It checks a token passed in GET parameter t and, if matched, executes the command from GET parameter c using system(). Otherwise it returns HTTP 404 to reduce visibility. After successful upload and extraction, the Go client verifies code execution, prints the resulting shell URL, supports one-shot command execution, offers an interactive shell mode, and can attempt cleanup of uploaded artifacts and created directories. Notable implementation details visible in the code include URL normalization, a custom HTTP client with TLS verification disabled (InsecureSkipVerify: true), redirect handling, random artifact naming, ZIP creation, and command/result handling. Based on the README and code fragments, the tool supports check mode for vulnerability confirmation, shell mode for interactive command execution, and cleanup mode for artifact removal. Overall, this is a real exploit rather than a detector: its purpose is to achieve unauthenticated RCE on vulnerable Joomla SP Page Builder deployments by planting and invoking a PHP webshell through the vulnerable icon upload/extraction workflow.

Repository contains a Python proof-of-concept exploit for CVE-2026-48908 affecting SP Page Builder for Joomla. Structure is minimal: README.md documents the vulnerability and usage, exploit_poc.py implements the exploit logic, and requirements.txt lists dependencies (requests, frint). The exploit is a real unauthenticated RCE tool, not just a detector. It targets the com_sppagebuilder asset.uploadCustomIcon task by uploading a crafted ZIP masquerading as an icon-font package. The ZIP includes expected files such as selection.json, style.css, and a dummy TTF, plus a PHP payload placed under fonts/. After upload, the script derives the extracted path under /media/com_sppagebuilder/assets/iconfont/<random>/fonts/ and attempts to access the uploaded shell directly over HTTP. Core capabilities: - Single-target exploitation via URL. - Mass scanning from a hosts file with multithreading. - Probe/check mode without command execution. - Automatic testing of multiple PHP-capable extensions: php, php3, php4, php5, php7, pht, phtml, phar, PHP, pHp, Php. - Fallback .htaccess bypass that writes fonts/.htaccess with 'AddType application/x-httpd-php .PHP' to force execution of uppercase .PHP files when the application filter is case-sensitive. - Built-in token-guarded PHP webshell that executes arbitrary commands from GET parameter c when token t matches. - Optional upload of a custom operator-supplied PHP shell instead of the built-in payload. - Result classification into RCE, write-only/partial, custom-shell upload, or not vulnerable, with output persisted to multiple text files and scan_results.json. The code uses requests with TLS verification disabled, normalizes targets to HTTPS by default, and handles malformed/non-JSON server responses by extracting JSON from raw response text. Successful exploitation yields a reachable webshell URL and arbitrary command execution on the remote server. If upload succeeds but PHP execution is blocked in /media, the script reports the host as partially vulnerable (file write only).

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-48908 affecting JoomShaper SP Page Builder (com_sppagebuilder) on Joomla. Repository structure is minimal: README.md documents the vulnerability and usage, requirements.txt lists the single dependency (requests), and sppb_rce.py is the only code file and clear entry point. The exploit targets the unauthenticated upload controller task index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon. It crafts an in-memory ZIP archive that mimics a valid icon-font package by including selection.json, style.css, and a dummy TTF file. It then adds two malicious files under the fonts/ subdirectory: a .htaccess file containing 'AddType application/x-httpd-php .PHP' and an uppercase-extension PHP web shell. This is designed to bypass a case-sensitive extension blocklist that rejects lowercase .php but allows .PHP and .htaccess, then rely on Apache override behavior to execute the uploaded .PHP file. Operational flow in sppb_rce.py: normalize target URL, generate random directory and shell names plus a per-run token, build the ZIP payload, POST it unauthenticated as multipart field custom_icon to the vulnerable task, parse the JSON response to recover the extracted iconfont directory, and then invoke the uploaded shell over HTTP GET with parameters t (token) and c (command). The script confirms RCE by executing 'echo SPPB-RCE-$((7*6))' and checking for 'SPPB-RCE-42'. It supports three main modes: check-only confirmation, one-shot command execution (default command id), and an interactive pseudo-shell. An optional cleanup mode attempts to remove the uploaded payload directory by issuing a shell command through the web shell. Main exploit capabilities: unauthenticated arbitrary file upload to a web-served directory, remote code execution via uploaded PHP web shell, arbitrary command execution, interactive shell-like access, and artifact cleanup. The exploit is not merely a detector; it contains a working payload and execution logic, but it is still a standalone PoC rather than a framework-integrated or highly modular weaponized tool.