Introduction
Hello all CrackHackForum members.
I haven't made any tutorial recently and I decided that it's time to make one. The tutorial itself is about identifying vulnerabilities in Joomla based websites. You probably already noticed that I said that we're identifying vulnerabilities and not defacing sites and that's correct. By reading the last sentence probably most of you already got bored, but that's more important than defacing at all. In my opinion finding the vulnerabilities are alot harder than the actual exploiting. If we're talking where does the vulnerabilities exist in the Joomla then it's mostly outdated plugins and sometimes even the default versions of Joomla are having vulnerabilities. Like you know I'm mostly the person who isn't using tools at all and I support doing everything manually, yet tools are sometimes making our life easier. Today the tutorial is about identifying vulnerable plugins in Joomla with famous tool calledJoomScan. Most of you are always running Acunetix Web Vulnerability Scanner 8 at every website you'd like to see vulnerabilities at, but Acunetix doesn't show the ones existing on CMS's like Joomla. The reason is that even Acunetix miss vulnerabilities and some vulnerabilities can be only found by manual testing, it takes a mind to find mistakes made by other minds. It means that running Acunetix on CMS's like Joomla and WordPress is pointless unless you're looking for something specific.
What are CMS's and Joomla?
Maybe some of you already got confused while reading the introduction. Maybe some of you haven't even heard about Joomla, but that's not a problem. Joomla is similar to WordPress, Drupal and other CMS's. Here comes the question that what are CMS's, they're Content Management systems. Content Management Systems are basically pre-made webpages which you can simply download and put on your webserver. With few clicks you'll get amazing website and by adding simple theme on it you'll have a website which might cost hundreds of dollars and look like every other awesome site. Almost all of the blogs in the current World Wide Web are based on CMS's and two most famous one of them are Joomla & WordPress and most of them are in the "blog" form. You can read further from Wikipedia. :
"What is Content Management System" According to Wikipedia :
Code:
A Content Management System (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Such systems of content management provide procedures to manage workflow in a collaborative environment. These procedures can be manual steps or an automated cascade.
The first content management system (CMS) was announced at the end of the 1990s. This CMS was designed to simplify the complex task of writing numerous versions of code and to make the website development process more flexible. CMS platforms allow users to centralize data editing, publishing and modification on a single back-end interface. CMS platforms are often used as blog software.
"What is Joomla"Accoring to Wikipedia
Code:
Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently.
Joomla is written in PHP, uses object-oriented programming (OOP) techniques (since version 1.5) and software design patterns, stores data in a MySQL or (since version 2.5) MS SQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization.
What is JoomScan and how does it work?
JoomScan has been created by the team of OWASP and it was sponsored by the YGN Ethical Hacker Group, Myanmar. OWASP Joomla Vulnerability Scanner was created at the July of 2009 if my memory isn't wrong at the moment. JoomScan isn't actually a tool where you can press that big & red "Hack" button because it has been developed at Perl. The leader of the project and the person who made it possible is called Aung Khant. Like the name of the tool says, it scans for all known vulnerabilities in Joomla CMS. By quoting the shout overview from the official page then JoomScan is this :
Quote:Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding such vulnerabilities as KB of Joomla! scanner takes ongoing activity.
It will help web developers and pentesters to help identify published known security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
To my experience, security testing on Joomla! web application requires pentester to look back the published vulnerabilities and if free, move on to generic testing. If we do only generic testing, we might miss a lot because it needs the knowledge of Joomla! application - its vulnerabilities in what version, what components are vulnerable in what version, what common security mistakes that web masters make ...etc.
If we're talking about how JoomScan is working then it's simple. You probably have heard about sites like http://1337day.com & http://exploit-db.com who're gathering exploits to use against Web Applications. All the exploits what are being uploaded to these sites or being sent directly to the Administrator/maintainer of the JoomScan will be added to the "Exploit list" of JoomScan. Then JoomScan will start testing all these exploits on the Joomla based system. If the server responds to the JoomScan with HTTP response 404 : Forbidden then it means the exploit isn't working and it will move on to testing other exploits. If JoomScan reaches to some exploit which will recive HTTP response 202 : Successful then it means the site has responded to our query which was exploit. Then JoomScan will store the response and will tell you that the website is vulnerable. Then you know the exploits and you can use them to compromise the system. Currently the Exploit list of JoomScan should contain +700 exploits to test and those are almost all the exploits avalible today.
Currently JoomScan is having these following features :
- Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
- Common Joomla! based web application firewall detection.
- Searching known vulnerabilities of Joomla! and its components.
- Reporting to Text & HTML output.
- Immediate update capability via scanner or svn.
How to use JoomScan in Linux OS.
You're probably already using BackTrack or Kali Linux which means they already have the tools included in them and you can access them with few clicks or with a single command what makes using the tool relatively easy. There are two ways to open up JoomScan in BackTrack and like I said, one of them is by opening up the terminal or navigating to the JoomScan.
Opening JoomScan in BackTrack Through the "Applications" :
- Applications
- BackTrack
- Vulnerability Assessment
- Web Application Assessment
- CMS Vulnerability Identification
- joomscan
Image has been scaled down 32% (700x526). Click this bar to view original image (1024x769). Click image to open in new window.
Opening JoomScan in Backtrack Through the Terminal :
- Open Terminal
- Write cd /pentest/web/joomscan in the terminal
- Start writing the commands to perform tasks you'd like the tool to do.
JoomScan Commands in Linux Operating system
We have managed to open up the JoomScan and now it's time to use the commands. These commands will tell the tool what to do and they are the things what you have to know to operate in Joomscan. I'll add two lines for a command as one example one and one reality one. It means that the example one tells you in theory what should be in the place and the reality one tells you how would the command look in the real life. Still not to confuse you nor cause any harm to any Administrator I won't use real webpage powered by Joomla and I'll use "joomlasite.com" as our target website which is running at Joomla.
The command to start scanning the website based on Joomla :
Code:
Example : Rynaldo@CrackHackForum:/pentest/web/joomscan# ./joomscan.pl -u <url>
Reality : Rynaldo@CrackHackForum:/pentest/web/joomscan# ./joomscan.pl -u joomlasite.com
This below command will start scanning the website with using proxy. It's not neccesary to use proxy, but highly recommended because websites are storing logs and incase you're doing any harm you might be caught.
Code:
Example : Rynaldo@CrackHackForum:/pentest/web/joomscan# ./joomscan -u <url> -x <Proxy IP>:<Port>
Reality : Rynaldo@CrackHackForum:/pentest/web/joomscan# ./joomscan -u joomlasite.com -x 123.123.123.123:3128
This command will start looking the version of Joomla CMS. I think it's not quite helpful because this command will only help you to get the version and look vulnerabilities to this version which will make your life alot harder, but still most of people are considering this as useful so I'll add it here also.
Code:
Example : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan -u <url> -pe
Reality : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan -u joomlasite.com -pe
It's quite boring to watch the whole process while JoomScan is running and also memorize what's going on and because of this we can archive the results we want. It's good because then we can watch the results after the scannings also. This one will store the results in a TXT file which will make it easy to read.
Code:
Example : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan -u <url> -ot <file-name.txt>
Reality : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan -u joomlasite.com -ot ArchiveResults.txt
It might be uncomfortable to look at the results with the TXT and that's why we even have a feature to store it in a HTML file with this below command :
Code:
Example : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan -u <url> -oh <file-name.htm>
Reality : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan -u joomlasite.com -oh ArchiveResults.htm
The most boring thing about the whole process is that we can see it's working, but we don't know when it finishes and we'll know the full results. Yet there's also a command to see the percentage completed.
Code:
Example : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan -u <url> -sp
Reality : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan -u joomlasite.com -sp
How to use JoomScan in Windows OS.
Above was really easy and that probably doesn't even need a tutorial. If you're writing "How to use JoomScan" to Google then all the tutorials are explaining how to use JoomScan in BackTrack, but they never cover the part to use it on the Windows Operating System. Probably because that takes alot more time and it's a bit harder to explain and as I'm a Windows user myself that's why I made the tutorial for at the first place. If you have read everything above then it's obvious to you that JoomScan is developed at Perl. In BackTrack and Kali Linux Perl is freely avalible and already installed which means you just have to type in the commands. In Windows you also have to install Perl to run perl scripts and that's a bit different because most of people are getting stuck at this part, they don't know how to run perl scripts. Actually it's almost the same and the commands aren't different either, but for a newbie it's still confusing. In BackTrack the JoomScan was included already, but for Windows we have to download Perl and Joomscan. I'll make quickly those main steps you have to follow to make JoomScan working in your Windows OS. I'll provide all the download links you might need to the end of the article.
The main steps we have to do for running JoomScan in Windows OS :
- Download ActivePerl from the official webpage.
- Download JoomScan files to your computer and compress them to your C:\ drive.
- Start Command Prompt and entering the commands I'll give you below.
- To run the scripts you have to choose <location of the script> <commands to perform>
JoomScan commands in Windows Operating System
That's almost the same chapter as the above one with Linux commands so I'll add the same introduction and will add different commands. We have managed to open up the JoomScan and now it's time to use the commands. These commands will tell the tool what to do and they are the things what you have to know to operate in Joomscan. I'll add two lines for a command as one example one and one reality one. It means that the example one tells you in theory what should be in the place and the reality one tells you how would the command look in the real life. Still not to confuse you nor cause any harm to any Administrator I won't use real webpage powered by Joomla and I'll use "joomlasite.com" as our target website which is running at Joomla.
Image has been scaled down 13% (700x704). Click this bar to view original image (796x800). Click image to open in new window.
How to even run commands of Perl scripts?
Code:
Example: <location of the script> <commands to perform>
Reality : C:\Files of Rynaldo\Scripts\Joomscan\joomscan.pl -u joomlasite.com
The command to start scanning the website based on Joomla :
Code:
Example : <Location of the Script> -u <url>
Reality : C:\Files of Rynaldo\Scripts\Joomscan\joomscan.pl -u joomlasite.com
This below command will start scanning the website with using proxy. It's not neccesary to use proxy, but highly recommended because websites are storing logs and incase you're doing any harm you might be caught.
Code:
Example : <location of the script> -u <url> <Proxy IP>:<Port>
Reality : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl -u joomlasite.com -x 123.123.123.123:3128
This command will start looking the version of Joomla CMS. I think it's not quite helpful because this command will only help you to get the version and look vulnerabilities to this version which will make your life alot harder, but still most of people are considering this as useful so I'll add it here also.
Code:
Example : <location of the script> -u <url> -pe
Reality : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl -u joomlasite.com -pe
It's quite boring to watch the whole process while JoomScan is running and also memorize what's going on and because of this we can archive the results we want. It's good because then we can watch the results after the scannings also. This one will store the results in a TXT file which will make it easy to read.
Code:
Example : <location of the script> -ot <file-name.txt> -u <url>
Reality : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl -ot ArchiveResults.txt -u joomlasite.com
It might be uncomfortable to look at the results with the TXT and that's why we even have a feature to store it in a HTML file with this below command :
Code:
Example : <location of the script> -ot <file-name.html> -u <url>
Reality : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl -oh ArchiveResults.html -u joomlasite.com
The most boring thing about the whole process is that we can see it's working, but we don't know when it finishes and we'll know the full results. Yet there's also a command to see the percentage completed.
Code:
Example : <location of the script> -u <url> -sp
Reality : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl -u joomlasite.com -sp
OWASP Joomla Vulnerability Scanner Usage
I have already showed you most of the commands in Joomscan and explained how to use them in different Operation Systems. Still I'll post below a list so you could make up your own commands to run your own commands you'd like. Incase something is still unclear for you then you this list will probably clear everything up for you why the commands were like they were.
Code:
Usage: joomscan.pl -u <string> -x proxy:port
-u <string> = joomla Url
==Optional==
-x <string:int> = proXy to tunnel
-c <string> = cookie (name=value;)
-g "<string>" = desired useraGent string within "
-nv = No Version fingerprinting check
-nf = No Firewall detection check
-nvf/-nfv = No version+firewall check
-pe = Poking version only
(and Exit the scanner)
-ot = Output to Text file (target-joexploit.txt)
-oh = Output to Html file (target-joexploit.htm)
-vu = Verbose (output every Url scan)
-sp = Show completed Percentage
Yet there are still some important commands you should know. Those are mostly the update commands. Like we know new exploits are being discovered daily and it would be just a waste of time to download the new version of JoomScan every time any new exploit is being published. For that I suggest to use these commands to directly download the exploits to your list. :
This option will check if the scanner update is available or not.
Code:
Windows : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl check
Linux : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan check
This option will check and update the local database if newer version is available.
Code:
Windows : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl update
Linux : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan update
Download the scanner latest version as a single zip file - joomscan-latest.zip.
Code:
Windows : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl download
Linux : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan download
This option will give you a defensive note.
Code:
Windows : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl defense
Linux : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan defense
This option will give you a short story about joomscan.
Code:
Windows : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl story
Linux : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan story
Code:
Windows : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl read DOCFILE
Linux : Rynaldo@CrackHackForum: /pentest/web/joomscan# ./joomscan read DOCFILE
Bugs and errors of JoomScan
Like we know all good programs and scripts have some bugs and JoomScan isn't an exception either. The first and one really big bug is on the Joomscan.pl file itself and without editing it the script won't work. Open up Joomscan.pl in your text editor and browse to the line 62 & 63. I suggest to use notepad++ because it makes it a bit easier. Then you have to correct the full path where the other files called joomdbfile and joomdbinfofile. After the editing it should look like this :
Image has been scaled down 13% (700x483). Click this bar to view original image (800x552). Click image to open in new window.
The second bug is about saving the reports of scanned websites. If you tried to save reports in .HTML or .TXT file like this then you'll face to errors :
Code:
Example : <location of the script> -u <url> -ot <file-name.html>
Reality : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl -u joomlasite.com -oh ArchiveResults.html
Code:
Example : <location of the script> -ot <file-name.html> -u <url>
Reality : C:\Files of Rynaldo\Scripts\joomscan\joomscan.pl -oh ArchiveResults.html -u joomlasite.com
All refferences you might like to read :
What is Content Managment System according to Wikipedia
What is Joomla Accoring to Wikipedia
Open Web Application Security Project
OWASP Joomla Vulnerability Scanner
Download ActivePerl for running Perl scripts on Windows.
Download JoomScan for running Joomscan in Windows.
One of the biggest Exploit collection - 1337day
One of the biggest Exploit collection - Exploit-DB
The official page of Joomla.
The Final Words
You have probably noticed that this tutorial has alot of 'duplicate' matherial which might seem really useless, but there has been alot of misunderstanding on this subject in the past. I made this thread that detailed no matter that the differences between Linux and Windows commands are obvious, but after reading this you shouldn't have any problem as I think I have covered absolutely everything what might come to your way of JoomScan.
Have you been defrauded by deceptive Bitcoin traders? Or are you seeking to recover funds you lost on telegram accounts to take over hackers/rippers?. I personally will recommend no one other than {wizardcyprushacker@gmail.com}
ReplyDeleteThis is the least I could do for you after they saved my life by helping me recover up to 3.966BTC in less than two weeks from an online ripper lately. I got referred to them via my colleague at work, they also helped his spouse recover tokens and coins lost to scams. I'm glad I got in contact with this specialist because I would have most likely fallen victim to another online fraudster all in the name of them trying to help me. I owe these people a lot because it is so hard to see legit help online. Are you having similar issues with your BTC Wallet, Don't get scammed by these online fraudsters, contact {wizardcyprushacker@gmail.com} WhatsApp : +1 (424) 209-7204
, they are the most efficient and most trusted recovery experts on here