Unauthenticated Arbitrary File Upload in SP Page Builder for Joomla

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-48908 affecting JoomShaper SP Page Builder (com_sppagebuilder) on Joomla. Repository structure is minimal: README.md documents the vulnerability and usage, requirements.txt lists the single dependency (requests), and sppb_rce.py is the only code file and clear entry point. The exploit targets the unauthenticated upload controller task index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon. It crafts an in-memory ZIP archive that mimics a valid icon-font package by including selection.json, style.css, and a dummy TTF file. It then adds two malicious files under the fonts/ subdirectory: a .htaccess file containing 'AddType application/x-httpd-php .PHP' and an uppercase-extension PHP web shell. This is designed to bypass a case-sensitive extension blocklist that rejects lowercase .php but allows .PHP and .htaccess, then rely on Apache override behavior to execute the uploaded .PHP file. Operational flow in sppb_rce.py: normalize target URL, generate random directory and shell names plus a per-run token, build the ZIP payload, POST it unauthenticated as multipart field custom_icon to the vulnerable task, parse the JSON response to recover the extracted iconfont directory, and then invoke the uploaded shell over HTTP GET with parameters t (token) and c (command). The script confirms RCE by executing 'echo SPPB-RCE-$((7*6))' and checking for 'SPPB-RCE-42'. It supports three main modes: check-only confirmation, one-shot command execution (default command id), and an interactive pseudo-shell. An optional cleanup mode attempts to remove the uploaded payload directory by issuing a shell command through the web shell. Main exploit capabilities: unauthenticated arbitrary file upload to a web-served directory, remote code execution via uploaded PHP web shell, arbitrary command execution, interactive shell-like access, and artifact cleanup. The exploit is not merely a detector; it contains a working payload and execution logic, but it is still a standalone PoC rather than a framework-integrated or highly modular weaponized tool.