[Mass Exploit] Joomla 3.2 to 3.4 SQL Injection

Introduction

You guys know how I love to automate stuff. So earlier today I decided to automate the SQL injection vulnerability in open source CMS joomla (3.2 to 3.4.4) found by Trust Wave Labs here. CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover this SQL Injection vulnerability.

I have used Google Scraper and Mass Exploiter from one of my previous posts which works as a dork scanner and performs mass exploitation on hundreds of URLs in a matter of seconds.

Here’s a preview of this mass exploit.

joomla1

Requirements

  • Python version 3.4.x
  • A third party package – Requests

There are two modules in this exploit. First module (makman.py) is a dork scanner which scans all the URLs for the given google dork. As per my latest results, it scraped 417 joomla websites from google search in about 6 seconds.

The second module performs the injection on the URLs collected by the dork scanner in the first module. Make sure makman.py is in the same directory.

Video Demo

You can watch the following video demo to see this exploit in action.

Here’s another quick demo to show you guys how to use session_id and get access to the admin panel without cracking the hashes.

Last Scan Results (28-10-2015)

Known Issues

  • Sometimes the first module (Google dork scanner) doesn’t retrieve any URLs because Google serves the captcha form instead of the search results. If this is the case, go to you browser, do a manual search for your dork, fill in the correct captcha (if appears), retrieve the cookies for this search and add these cookies in makman.py line 14 in the dictionary variable my_headers for the key Cookie.

joomla_cookies

  • You can always change the Google dork for this exploit by editing line 71 in joomla_sqli_mass_exploit.py.

GitHub Repository

Disclaimer

I hereby take no responsibility for the loss/damage caused by this tutorial. This article has been shared for educational purpose only.

If you have any further suggestions, feel free to contact me. Details are in the footer.