Joomla

Hello aspiring hackers. Previously we have seen how to perform Joomla version enumeration and Joomla plugin enumeration with Metasploit. Metasploit also has a module for Joomla webpages enumeration which can be useful in seeing pages of a Joomla website which can give further information about the website.

Start Metasploit and load the module as shown below.  Type command “show options” to see the options we need to set.

joomla_pages1

As other auxiliary options, it has RHOSTS option instead of RHOST option. We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

joomla_v2

Type command “run” to execute the exploit. We will get the result as shown below.

joomla_pages3

Good evening aspiring ethical hackers. Joomla is one of the most popular CMS for websites. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Last month hackers found many vulnerabilities in so many extensions of Joomla.

But how do we find out Joomla websites with this vulnerable plugins installed. Once again, Metasploit saves the day for us as it has an auxiliary module for Joomla plugin enumeration. Start Metasploit and load the module as shown below.

joomla_plugins1

This module has Rhosts option instead of Rhost option as we generally scan multiple IP addresses to check for vulnerable websites. Set the IP addresses as shown below with space between each IP address.

joomla_v2

Now type command “run” to see the plugins installed on all these websites.

joomla_plugins3

How does this module work? If you have seen in the first image, this module takes the list of plugins to enumerate from file “usr/share/metasploit-framework/data/wordlists/joomla.txt”. I have little knowledge whether this file is updated as fast as the Joomla plugins developed.  You can open this file with any text editor as shown below.

joomla_plugins4

If the component you want to search for is not listed, you can make your own entry as shown below. I have added two components here, which are vulnerable to sql injection but not included in the file before. Save and close the file.

joomla_plugins5

I run the scan again and found one Joomla website with this plugin installed.  Happy hacking.

joomla_plugins6


Many a times a vulnerability is released saying that so and so version of a specific software has so and so vulnerability and an exploit is released for that vulnerability. In order for an exploit to work successfully it becomes necessary to find our target’s exact version. For example, take Joomla, a popular CMS. Recently we have seen Joomla HTTP Header Unauthenticated Remote Code Execution exploit which affects Joomla versions 1.5.0 to 3.4.5. We have also seen another exploit  “Joomla Error-Based SQL Injection exploit for enumeration ”  which affects Joomla versions 3.2 to 3.4.4. To successfully exploit these vulnerabilities, it becomes important to first fingerprint the Joomla version of our target. Luckily Metasploit has an auxiliary module to find out the exact version of our Joomla target. Today we will see fingerprinting Joomla version with Metasploit. Before we start Metasploit, open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. Now start Metasploit and load the module given below. Type command “show options” to see the required options for this module.

joomla_v1

We need to set two options: rhosts( which is target IP addresses ) and targeturi. Set targeturi as shown below. Coming to “rhosts” option, copy and paste the IP addresses we got in our shodan search giving space between each IP address as shown below.  Here I have given five IP addresses.

joomla_v2

Check whether all options are set correctly by typing command “show options“.

joomla_v3

Next it’s time to run our exploit. Type command “run” and you will get the results as shown below. From our results we can conclude that all of the five targets may be vulnerable to Joomla HTTP Header Unauthenticated Remote Code Execution exploit and targets 2 and 3 may be vulnerable to Joomla Error-Based SQL Injection exploit for enumeration exploit.

joomla_v4


 

Good Evening friends. Today we will see how to exploit remote machines with Joomla installed on them. Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. We also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. Joomla has recently released a patch for this vulnerability. Now let us see how to use the Joomla HTTP Header Unauthenticated Remote Code Execution exploit. Start Metasploit. and search for the exploit as shown below.

joomla_http1

Type command “show options to see the required options.

joomla_http2

Set the remote IP address and set the payload as shown below.

joomla_http3

Type command “check” to see whether the target is vulnerable.

joomla_http4

Next type command “exploit” to execute the exploit. You will get the remote system’s shell as shown below.

joomla_http5