i OWASP Joomla! Vulnerability Scanner – All things in moderation

OWASP Joomla! Vulnerability Scanner

Introduction

Joomla! is the most popular CMS widely-used, which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility. Best of all, Joomla! is an open source solution that is freely available to everyone.

OWASP Joomla! Vulnerability Scanner (joomscan) is an open source project in perl programming language to detect Joomla CMS vulnerabilities and analyses them. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites

You can download joomscan from: https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

This tool available in kali linux. If you want to run joomscan on ubuntu system, the first you need to install perl environment by using command: sudo apt-get install perl

Joomscan how it work?

  1. First HEAD Check if a vulnerable resource exists rather than GET request and search vulnerable string. This speeds up the process. It is good to minimize IDS alert as it doesn’t send GET storm attack strings Request.

  2. Only if the resource exists, then it checks if the vulnerability exists with sample exploit string.

  3. If the exploit string is not available, it works out the vulnerability state with version deduced.

Joomscan features:

– Exact version Probing (the scanner can tell whether a target is running version)

– Common Joomla! based web application firewall detection

– Searching known vulnerabilities of Joomla! and its components

– Reporting to Text & HTML output

– Immediate update capability via scanner or svn

Let’s run joomscan in kali linux:

[email protected]:~# joomscan


 ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|.  
.|'    ||   '|. '|.  .'     |||     ||..  '   ||   || 
||      ||   ||  ||  |     |  ||     ''|||.   ||...|' 
'|.     ||    ||| |||     .''''|.  .     '||  ||      
 ''|...|'      |   |     .|.  .||. |'....|'  .||.     
    

=================================================================
 OWASP Joomla! Vulnerability Scanner v0.0.4  
 (c) Aung Khant, aungkhant]at[yehg.net
 YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
 Update by: Web-Center, http://web-center.si (2011)
=================================================================
 
 Vulnerability Entries: 673
 Last update: October 22, 2012

 Usage:  ./joomscan.pl -u <string> -x proxy:port
         -u <string>      = joomla Url

         ==Optional==

         -x <string:int>  = proXy to tunnel
         -c <string>      = Cookie (name=value;)
         -g "<string>"    = desired useraGent string(within ") 
         -nv              = No Version fingerprinting check
         -nf              = No Firewall detection check
         -nvf/-nfv        = No version+firewall check
         -pe          = Poke version only and Exit
         -ot              = Output to Text file (target-joexploit.txt)
         -oh              = Output to Html file (target-joexploit.htm)
         -vu              = Verbose (output every Url scan)
     -sp          = Show completed Percentage
~Press ENTER key to continue

 Example:  ./joomscan.pl -u victim.com -x localhost:8080

 Check:    ./joomscan.pl check
           - Check if the scanner update is available or not.

 Update:   ./joomscan.pl update
           - Check and update the local database if newer version is available.

 Download: ./joomscan.pl download
           - Download the scanner latest version as a single zip file - joomscan-latest.zip.

 Defense:  ./joomscan.pl defense
           - Give a defensive note.

 About:    ./joomscan.pl story
           - A short story about joomscan.

 Read:     ./joomscan.pl read DOCFILE
           DOCFILE - changelog,release_note,readme,credits,faq,owasp_project

Usages

1. Joomscan update

Update joomscan using option update: joomscan update

[email protected]:~# joomscan update


 ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|.  
.|'    ||   '|. '|.  .'     |||     ||..  '   ||   || 
||      ||   ||  ||  |     |  ||     ''|||.   ||...|' 
'|.     ||    ||| |||     .''''|.  .     '||  ||      
 ''|...|'      |   |     .|.  .||. |'....|'  .||.     
    
 
OWASP Joomla! Vulnerability Scanner Database Update
(c) Aung Khant, http://yehg.net/lab
Update by: Web-Center, http://web-center.si


Remote Database Entries: 673
Remote Last Update: October 22, 2012

Local Database Entries: 673 
Local Last update: October 22, 2012

No database update currently. Check at least once a month.

~[*] Time Taken: 1 sec
~[*] Send bugs, suggestions, contributions to [email protected]

2. Scan target website

Command: joomscan -u [targeturl]

Scan through proxy: using option -x <ip:port> . E.g: joomscan -u [target_url] -x 127.0.0.1:9050
Output to file. If you use option below to save output to file joomscan will save report to joomscan/report/[target_site]_joomla-joexploit.txt, e.g 192.168.28.129_joomla-joexploit.txt

– Output to Text file: -ot . E.g: joomscan -u [target_url] -ot

– Output to HTML file: -oh . E.g: joomscan -u [target_url] -oh

[email protected]:~# joomscan -u http://192.168.28.129/joomla/


 ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|.  
.|'    ||   '|. '|.  .'     |||     ||..  '   ||   || 
||      ||   ||  ||  |     |  ||     ''|||.   ||...|' 
'|.     ||    ||| |||     .''''|.  .     '||  ||      
 ''|...|'      |   |     .|.  .||. |'....|'  .||.     
    
 
=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.4  
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================


Vulnerability Entries: 673
Last update: October 22, 2012

Use "update" option to update the database
Use "check" option to check the scanner update
Use "download" option to download the scanner latest version package
Use svn co to update the scanner and the database
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan 


Target: http://192.168.28.129/joomla

Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.30


## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ..... OK 


## Detecting Joomla! based Firewall ...

[!] No known firewall detected!


## Fingerprinting in progress ...

~Generic version family ....... [1.5.x]

~1.5.x configuration.php-dist revealed [1.5.10 - 1.5.14]
~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]
~1.5.x admin en-GB.com_config.ini revealed [1.5.12 - 1.5.14]
~1.5.x adminlists.html revealed [1.5.7 - 1.5.14]

* Deduced version range is : [1.5.12 - 1.5.14]

## Fingerprinting done.


## 3 Components Found in front page  ##

 com_user    com_virtuemart 
 com_mailto 
Vulnerabilities Discovered
==========================

# 1
Info -> Generic: htaccess.txt has not been renamed. 
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes

# 2
Info -> Generic: Unprotected Administrator directory 
Versions Affected: Any
Check: /administrator/
Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf
Vulnerable? Yes

# 3
Info -> Core: Multiple XSS/CSRF Vulnerability 
Versions Affected: 1.5.9 <= 
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application.  Affected administrator components include com_admin, com_media, com_search.  Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.  
Vulnerable? No

.......


# 43
Info -> Component: JA T3-Framework Directory Traversal Vulnerability 
Versions Affected: any 
Check: /index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1
Exploit: /index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1
Vulnerable? No

# 44
Info -> Component: Joomla 2.5.6 Cross Site Scripting 
Versions Affected: 2.5.6 
Check: /index.php/image-gallery/"><script>alert('xss')</script>/25-koala
Exploit: /index.php/image-gallery/"><script>alert('xss')</script>/25-koala
Vulnerable? N/A

There are 5 vulnerable points in 44 found entries!

~[*] Time Taken: 27 sec
~[*] Send bugs, suggestions, contributions to [email protected]

References

https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

Leave a Reply