MASTA CVE-2026-48907 Scanner
Joomla! JCE < 2.9.99.5 Unauthenticated Remote Code Execution (RCE) Scanner
## 🚨 法律免责声明与道德使用
使用此软件,即表示您同意以下条款:
1. **仅限授权使用** — 在大多数司法管辖区,未经所有者明确书面同意,对系统进行扫描、利用或上传文件是**违法的**。
2. **设计上具有侵入性** — 此工具执行**主动利用**,包括向目标服务器(`/tmp/` 和 `/images/`)上传概念验证(POC)PHP 文件。它不是被动扫描器。
3. **不承担责任** — 作者(`Hussein Mohamed / masta ghimau`)和贡献者对因使用此工具而导致的任何滥用、损害、法律诉讼或刑事起诉**绝对不承担任何责任**。
4. **您需承担全部责任** — 任何非法或未经授权的使用完全是**您自己的责任**。如果您未经许可使用此工具,您将自行承担法律后果。
5. **清理义务** — 在成功运行期间上传的任何 POC 文件,在验证后**必须由您立即手动删除**。该工具不会自动删除它们。
**如果您不理解这些条款,或没有测试目标的权限,请勿运行此工具。**
## ⚠️ 注意:侵入式高精度测试
为了达到**确定的**准确度(而非猜测),此工具不能仅依赖被动版本指纹识别。JCE 经常隐藏其版本或使用通用的文件路径。因此,该扫描器执行**侵入式的、真实的利用向量**:
| 被动(安全) | 侵入式(此工具) |
|---|---|
| Headers / HTML meta 标签 | 通过配置文件导入进行主动文件上传 |
| 静态资源探测 | 通过 JCE Browser 插件上传 + 重命名 |
| 通过 XML 猜测版本 | 对 PHP 执行情况进行**实时**验证(数学检查) |
**明智地使用。**
- 侵入式检查 = 漏洞的**确凿证据**。
- 侵入式检查 = 留在目标磁盘上的**痕迹**。
- 在运行此扫描器之前,务必确保您已获得**明确授权**。
## 📋 概述
**MASTA CVE-2026-48907 Scanner** 是一个多线程、支持 Excel 报告的漏洞扫描器,用于检测严重的 **JCE Editor** 未授权 RCE 漏洞(已在 **JCE 2.9.99.5** 中修复)。它实现了安全研究人员发现的两种已知公开向量:
- **向量 1(配置文件导入 → `tmp/`)**:由 *ywh-jfellus* 发现。通过配置文件导入功能上传 PHP payload。该文件在未经任何验证的情况下被存入 Joomla 的 `tmp/` 目录中。
- **向量 2(Browser 插件 → `images/`)**:由 *BIBIL_0DAY* 发现。导入一个宽松的编辑器配置文件,通过 JCE Browser RPC endpoint 上传,并尝试通过重命名绕过(`.gif` → `.php`)。
该工具使用 **base64 编码的数学挑战**(`MATHOK:{random}`)来消除误报,并确认目标确实执行了 PHP。
## ✨ 功能
- **双重利用向量** — 同时测试 `tmp/` 配置文件导入和 `images/` 浏览器上传链。
- **无误报** — 使用 base64 编码的随机数学检查 payload。只有实时代码执行才会确认状态为 `VULNERABLE`。
- **仅上传检测** — 即使禁用了 PHP 执行,如果文件已成功写入磁盘,该工具也会报告 `VULNERABLE_UPLOAD_ONLY`。
- **并发扫描** — 使用 ThreadPoolExecutor 进行批量目标评估。
- **丰富的终端 UI** — 精美的 ASCII/Rich 仪表板,带有针对每个目标的颜色编码。
- **Excel 报告** — 自动生成 `.xlsx` 报告,并带有颜色编码的状态单元格。
- **WAF 检测** — 识别 Cloudflare、Incapsula、Sucuri 和 ModSecurity 的拦截。
- **零外部漏洞利用依赖** — 纯 Python 标准库(`urllib`)+ 可选的 `openpyxl`/`rich`。
## 📊 攻击流程图
```
flowchart TD
A[🚀 Start: Load Targets] --> B[🔗 Normalize URL]
B --> C{🔍 Probe Joomla! Fingerprint}
C -->|❌ Not Found| D{🔍 Probe JCE Component}
C -->|✅ Found| D
D -->|❌ Not Found| E[🚫 Status: NOT_JOOMLA]
D -->|✅ Found| F{📋 Version Check}
F -->|🔒 >= 2.9.99.5| G[🛡️ Status: PATCHED]
F -->|🔓 < 2.9.99.5| H[🎫 Extract CSRF Token]
H -->|🚫 Token Missing| I[⚠️ Status: Likely PATCHED / Incompatible]
H -->|✅ Token Found| J{💉 Vector 1:
Profile Import to /tmp/}
J -->|📤 HTTP 200 Upload| K[🔎 Verify /tmp/{random}.xml.php
Base64 Math Check]
K -->|🎯 RXST Match
MATHOK Confirmed| L[💀 Status: VULNERABLE
Vector: V1]
K -->|📄 File Exists
No Execution| M[⚡ Status: VULNERABLE_UPLOAD_ONLY]
J -->|❌ Failed| N{💉 Vector 2:
Browser Chain via /images/}
N -->|📥 Import Permissive Profile| O[📤 Upload PHP Variants
GIF Wrap + Rename Bypass]
O -->|🎯 RXST Match
MATHOK Confirmed| P[💀 Status: VULNERABLE
Vector: V2]
O -->|📄 Upload Only| Q[⚡ Status: VULNERABLE_UPLOAD_ONLY]
O -->|❌ All Failed| R[✅ Status: SAFE
Likely Patched / Hardened]
style L fill:#ff0000,color:#fff
style P fill:#ff0000,color:#fff
style M fill:#ff8c00,color:#fff
style Q fill:#ff8c00,color:#fff
style G fill:#90ee90
style I fill:#ffd700
style E fill:#d3d3d3
style R fill:#87ceeb
G --> S[📊 Generate Report]
E --> S
I --> S
L --> S
M --> S
P --> S
Q --> S
R --> S
S --> T[📁 Export Excel + Console Summary]
📸 Screenshots
1. Tool Output (Console)
Tool Output Screenshot
Example: Scanning multiple NS Government portals with color-coded status output.
2. Excel Report
Excel Report Screenshot
Example: Auto-generated .xlsx with styled cells, confidence levels, and remediation advice.
🛠️ Installation
Requires Python 3.8+.
# Clone 仓库
git clone https://github.com/
/masta-cve-2026-48907.git
cd masta-cve-2026-48907
# (可选但推荐) 安装 reporting 依赖项
pip install openpyxl rich
Dependencies
Package Required Purpose
python3 ✅ Yes Core runtime
openpyxl ❌ Optional Excel .xlsx report generation
rich ❌ Optional Beautiful terminal tables & panels
🚀 Usage
Single Target
python3 masta-cve-2026-48907.py -u https://target.com/joomla
Bulk Target List
python3 masta-cve-2026-48907.py -l targets.txt -t 10
Pipeline Mode
cat urls.txt | python3 masta-cve-2026-48907.py -t 15
With Burp / Proxy
python3 masta-cve-2026-48907.py -u https://target.com -p http://127.0.0.1:8080
Debug Mode (Troubleshooting)
If a target you know is vulnerable returns SAFE, use debug to see step-by-step logs:
python3 masta-cve-2026-48907.py -u https://jkrns.ns.gov.my -d -v
All Options
-u, --url Single target URL
-l, --list File containing URLs (one per line)
-o, --output Excel output path (default: reports/masta-cve-2026-48907-report-{timestamp}.xlsx)
-t, --threads Workers (default: 5)
-p, --proxy Proxy, e.g. http://127.0.0.1:8080
--timeout Timeout in seconds (default: 12)
-v, --verbose Verbose per-target card output
-d, --debug Debug mode: log exploit chain steps
--no-color Disable ANSI colors
🎯 How It Works
Fingerprinting
Detects Joomla! via headers, generator meta tags, static assets (/media/system/js/core.js), admin login pages, and XML manifests.
Detects JCE via /plugins/editors/jce/jce.xml, /administrator/components/com_jce/jce.xml, and static assets.
Version Parsing
Extracts JCE version from exposed XML manifests.
Compares against 2.9.99.5. If equal or higher, target is reported as PATCHED.
CSRF Token Extraction
Extracts the Joomla CSRF token from the homepage via multiple regex patterns (csrf.token, hidden inputs, meta tags).
Vector 1: Profile Import (tmp/)
POSTs a malicious .xml.php (random filename) to index.php?option=com_jce&task=profiles.import.
If HTTP 200 is returned, the file is assumed written.
Verifies execution by accessing https://target.com/tmp/{random}.xml.php and checking the base64 math response.
Vector 2: Browser Chain (images/)
Checks cpanel.feed for unauthenticated JCE browser access.
Imports a permissive profile allowing PHP uploads.
Uploads multiple variants (.php, .phtml, .php5, .php7, .gif wrapped) via the Browser RPC endpoint.
Attempts PHP rename via JSON-RPC if GIF upload succeeds.
Verifies execution at https://target.com/images/{random}.php.
Classification
VULNERABLE — PHP executed the math check (MATHOK confirmed).
VULNERABLE_UPLOAD_ONLY — File was uploaded to disk but PHP execution was blocked.
PATCHED — JCE version ≥ 2.9.99.5 or missing CSRF form.
SAFE — JCE found but active exploitation failed.
BLOCKED_BY_WAF — Firewall intervened during verification.
NOT_JOOMLA — Neither Joomla! nor JCE detected.
📁 Report Output
An Excel report is auto-generated in the reports/ directory. Each row includes:
Target URL
Joomla! / JCE detected status & versions
Final Status (VULNERABLE, PATCHED, SAFE, etc.)
Confidence Level
Proof URL (if shell confirmed)
Uploaded Filename (for manual cleanup)
Remediation Action
🧹 Mandatory Cleanup
⚠️ This scanner intentionally uploads files to prove exploitability.
If the scan returns VULNERABLE or VULNERABLE_UPLOAD_ONLY, you MUST manually delete the uploaded file(s) from the server:
/tmp/masta{random}.xml.php
/images/masta{random}.php (or .phtml, .php5, .php7)
The tool prints these filenames at the end of the scan. Do not leave POC files on production servers.
📜 License & Author
Author: Hussein Mohamed (masta ghimau)
CVE: CVE-2026-48907
This project is provided for educational and authorized security testing purposes only.
If you use this tool illegally, you are on your own.
Respect the law. Test responsibly.
```
```