Sunday, August 28, 2011

Hacking Joomla! -- the fast and easy way


Popular open source Content Management Systems (CMSs) like Drupal, Joomla! and WordPress, are regularly subject to source code reviews as well as blackbox pentesting. Thus, vulnerabilities in these systems are quickly identified and fixed. And security updates are frequently released.
Unfortunately, people tend to install the base CMS, add plugins, build their website and then never upgrade when security patches are available. Furthermore, third party developed plugins usually extend the offender's attack surface and expose the CMS-based website to new threats.

During pentests, and facing a CMS based website, I often look for open source security tools that are targeted specifically at the CMS in question. These tools usually excel at fingerprinting the CMS version used by the target, detecting installed plugins/themes, and identifying corresponding vulnerabilities. 
Of course, I'd love to fire up generic web active scanners (Skipfish, Arachni, w3af, etc), as well as my preferred proxy tools (ZAP and WebScarab) to perform a full-blown web pentest of the target application. However, during short-timed penetration tests, I'm compelled to look for the low hanging fruit. Hence, instead of trying to reinvent the wheel, I make good use of CMS-targetted tools.

In this post, I'm going to describe the free security tools I use against Joomla! based websites. If you know another utility/tip to use against Joomla! Installations, feel free to mention it below as a comment. 

Test Lab Setup
I'm going to run the tests against the default Joomla! installation on a TurnKey virtual machine. For those of you who are not familiar with TurnKey, it is a collection of 45+ free ready-to-use solutions, including popular CMSs like Joomla!. 
Anyway, the tools I'm going to demonstrate are:

The base operating system for the attack toolset is going to be BackTrack 5. Lucky me, all three tools are pre-installed on the distribution.

CMS Explorer
CMS Explorer is a tool developed by the creator of Nikto. It covers several CMSs like Drupal, WordPress, and Joomla!. 
The first thing you should do when using CMS Explorer is to create an osvdb.key containing an OSVDB API key, and place it into the CMS Explorer install directory. You can get an OSVDB API key for free from http://osvdb.org/api/about. The CMS Explorer install directory in BackTrack 5 is /pentest/enumeration/web/cms-explorer
Anyway, this key will be used by the tool to query OSVDB for vulnerabilities corresponding to the identified installed plugins and themes.
Here is the command line I run in order to launch a CMS Explorer scan:

root@bt:/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://192.168.1.103/ -explore -type=Joomla -osvdb 

First, CMS Explorer will identify the themes and plugin installed on the Joomla!-based website: 


Then, it will identify all the vulnerabilities in OSVDB that correspond to the found plugins and themes.


Maybe CMS Explorer is a little too verbose.. But it does a decent job detecting Joomla! installed components and identifying vulnerabilities that are associated with these.

OWASP Joomla Vulnerability Scanner (aka joomscan) 
OWASP Joomla Vulnerability Scanner, or Joomscan is an official OWASP Project and a flagship Joomla! scanner. Joomscan features include thorough version detection as well as signature-based vulnerability identification of Joomla! installations. As of this writing, Joomscan vulnerability database contains 466 distinct entries.  
The tool is ready to use on BackTrack 5 and using it is as simple as running the following command:

root@bt:/pentest/web/scanners/joomscan# ./joomscan.pl -u http://192.168.1.103/ 


Joomscan will firstly perform version probing against the target as shown below:


Then, it will detect vulnerabilities affecting the target:

Nmap (http-joomla-brute NSE script) 
The final tool I'm going to demonstrate is Nmap, or more precisely http-joomla-brute NSE script. Written by @calderpwn, this Nmap script performs bruteforcing of Joomla! administration authentication forms. Unfortunately, it hasn't been added to the official repository yet but you can get it here: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/http-joomla-brute.nse

First, let's add the script to the Nmap scripts directory:
root@bt:~# cp http-joomla-brute.nse /usr/local/share/nmap/scripts/ 
Then, we update the Nmap script database using the following command:
root@bt:~# nmap --script-updatedb 
Finally, we're ready to go:
root@bt:~# nmap -p80 --script http-joomla-brute –script-args 'userdb=/root/users.txt,passdb=/root/passwds.txt,http-joomla-brute.threads=3,brute.firstonly=true' 192.168.1.103 

users.txt and passwds.txt are two files containing usernnames and passwords that will be used when bruteforcing the form.


Well, that's it for today's Jommla! hacking round. I'm not going to compare the utilities as each one is specific and useful in its own way. Please don't forget to add your favorite Joomla! hacking tools and tips as a comment below. I'll try to keep this post updated, and hopefully post about other CMSs. Meanwhile, happy Joomla! hacking :) 

No comments:

Post a Comment