Government Security
Network Security Resources

Jump to content

Photo

How to exploit Joomla 1.5.x


  • Please log in to reply
6 replies to this topic

#1 julesv

julesv

    Private

  • Members
  • 6 posts

Posted 03 December 2008 - 10:18 AM

Hello! This is my first tutorial and I hope it will be informative.

1. Getting to the admin Control Panel
2. Uploading shell
3. Messing... =)

We will call the website 'xxxxx.com' for the purposes of this website.

--Part 1--

-First we must find a vulnerable host. All versions of Joomla! are vulnerable until next release, but there is a way you can prevent this attack. We will google dork around for a vulnerable website.

Google d0rk ----> intext:"Welcome to the Frontpage"

Now, we choose: xxxxx.com

To test if it is vulnerable we put this at the end of the url:

index.php?option=com_user&view=reset&layout=confirm

enter the character:

'

as the token. If all went well you should be redirected to a page where you can change the admin password. Now go back to xxxxx.com and add:

/administrator

to the end of the url. Try and login with admin (the default) as the user and the changed pass. I f it didn't work, it means you have the wrong username. This could become a very big guessing game =). I would suggest visiting the forums and looking for the admin username.

Finally! We are on the admin Control Panel of xxxxx.com! Time to upload shell...

--Part 2--

Now click on the

Settings

icon.Then click on the

System

tab. Now scroll to the bottom of the page and disable

Check mime types

File controlling

and add php as a legal file extension. Now get your php shell, I will use locus7s (a variant of c99) as my shell. You can get these shells anywhere. Save it as a php file on your disk. Now go back to the main Control Panel and go to the

Medias

and browse your shell from your computer press upload and wait for it to finish. When it says

Completed

you may proceed to the messing section =)...

--Part 3--

Now go back to xxxxx.com and add

/images/yourshell.php (replace yourshell.php by the name of the shell you uploaded. I would recommend giving your shell a secret name, otherwise people will re-access your shell.)

Now you should be on the shell interface. This might look kind of messed up when you are a beginner, but don't worry...

Click on the folder icon that says

..

Now go to

index.php

and press the

[write]

or the button on the far right above the text box. Now you may edit the front page =). Don't forget to press the

[save]

button.

Last but not least, go back to the main shell interface and click the

..

button and now go to

[logs]

and click on

errors.php

Now clear the bottom part with your IP and click

Save

Now you're clear to leave =).

Have fun...





--Created by julesv

#2 Marts McFly

Marts McFly

    Second Lieutenant

  • Second Lieutenant
  • 591 posts

Posted 03 December 2008 - 04:30 PM

Nice tutorial mate.

I run a Joomla site myself. And decided to test this out. My version is [Joomla! 1.5.6 Production/Stable [ Vusani ] 12-August-2008 22:00 GMT]

Putting index.php?option=com_user&view=reset&layout=confirm at the end of my URL gives me a screen asking me to confirm the token. Entering ' does not send me to a change password screen. It just flicks back to the same 'enter token' screen.

So either your method doesnt work or i have a newer version, which either way i am glad for! Haha.

One question is why do you need to upload the shell? If you have the admin username and password, you can change anything you want anyway via the articles and the main menu/home? Or would this be a backdoor as such... if the owner ends up changing the admin password?

One thing i find interesting in security flaws in Online software like this... is most users aren't that technical. And it's hard to upgrade to a latest version. You can't just log in to the console and press 'update'. You have to do a whole reinstall in most cases, that freaks people out. And not only that, why will the user know they are vulnerable unless they visit sp0it sites? (or they find their frontpage changed.. haha)
Certified Information Systems Security Professional (CISSP)

T: http://twitter.com/Marts_McFly

B: http://www.backtosecurity.com

#3 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 03 December 2008 - 05:17 PM

My version is [Joomla! 1.5.6 Production/Stable [ Vusani ] 12-August-2008 22:00 GMT]

I believe all 1.5 versions prior to 1.5.6 are vulnerable.

One question is why do you need to upload the shell?

After uploading the php shell, you could do alot more things than just changing the contents of your Joomla site. Like running a bnc, or iroffer or maybe getting root on the box ;)

why will the user know they are vulnerable unless

The System admins do/should know if a web app that they host has some vulnerabilites, so it should be their job to upgrade. But as we can see not all of them do that

The tutorial is just an expansion of

1 . Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm
2. Write into field "token" char ' and Click OK.
3. Write new password for admin
4. Go to url : target.com/administrator/
5. Login admin with new password

A decent attempt.

#4 Marts McFly

Marts McFly

    Second Lieutenant

  • Second Lieutenant
  • 591 posts

Posted 03 December 2008 - 07:25 PM

Ah thanks for the clarification.

Also one thing that might be mentioned is as admin you can also enable FTP access through the control panel. You could then FTP in as admin and upload whatever you want... your shell for example, no need to do it via Media if you don't want to.
Certified Information Systems Security Professional (CISSP)

T: http://twitter.com/Marts_McFly

B: http://www.backtosecurity.com

#5 julesv

julesv

    Private

  • Members
  • 6 posts

Posted 03 December 2008 - 11:23 PM

Thanks for the feedback guys =)...

#6 entro

entro

    Private First Class

  • Members
  • 68 posts

Posted 05 December 2008 - 12:05 AM

I've been fooling around with this and a lot of joomla sites are very prone to this vulnerability at the moment. You can do a lot of damage with this.

#7 NoUse

NoUse

    Private

  • Members
  • 10 posts

Posted 17 December 2008 - 05:53 PM

Not so much a tutorial as it is a step by step guide for script kiddies. Nothing is really being taught here, and in turn, nothing is being learned. My advice would be to expand more on certain aspects of the guide. Such as the token that you enter. Anyone who's read about sql injections knows this causes an error with the sql parser. But generally the people who would benefit from the tutorial aren't going to know that.

Expand the article or just put it into an ordered list and save us the time.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users