joomscan-en

Back  Español

joomscan

Phase(s):

Primary: Discovery.
Secondary: N/A.

Description:

Tool that performs a scan of known vulnerabilities present on web applications developed with the Joomla content management system.

Objective:

• Identify the web application Joomla system version.
• Identify know vulnerabilities present on the Joomla system.

Features:

Supported technologies: Web application developed with the Joomla system.

Operative mode: Active.

Identify the web application Joomla system version.

• Provides the identified Joomla system version.
• Provides additional information detected on the response headers such as the server or technologies used.

  Identify know vulnerabilities present on the Joomla system.

  • Provides a known vulnerability repository list for the vulnerability scan which include.
    • Vulnerability name.
    • Affected versions of Joomla systems.
    • Test to be performed including the payload (if required).
    • Payload.

  Reports:
  Output reports: ✔
  Reports in TXT or HTM format which contain:

  • Information of the scanned web application:
    • Application URL.
    • Response headers with the server or technologies information.
  • Graphics of the vulnerability summary.
  • Reconnaissance Result
    • Firewall Detection.
    • Version Fingerprinting.
  • Vulnerability Assessment Report
    • Vulnerability name.
    • Affected versions of Joomla systems.
    • Test to be performed including the payload if required.
    • Payload.
    • Result of the test

  Basic usage:

  Begin a basic scan. The following command initiates the basic scan on the web application based of the Joomla system.

  ./joomscan.pl -u [URL] -oh -vu

  
  

  Where:

  • URL: Web application URL address.
  • -oh: Export the results in HTM format (on the base directory).
  • -vu. Verbose mode.

  The tool will begin with the initial analysis of the web application by getting the response headers with information about the server or technologies used.

  ..|''|| '|| '||' '|' | .|'''.| '||''|.
  .|' || '|. '|. .' ||| ||.. ' || ||
  || || || || | | || ''|||. ||...|'
  '|. || ||| ||| .''''|. . '|| ||
  ''|...|' | | .|. .||. |'....|' .||.
  
  
  =================================================================
  OWASP Joomla! Vulnerability Scanner v0.0.4
  (c) Aung Khant, aungkhant]at[yehg.net
  YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
  Update by: Web-Center, http://web-center.si (2011)
  =================================================================
  
  
  Vulnerability Entries: 673
  Last update: October 22, 2012
  
  Use "update" option to update the database
  Use "check" option to check the scanner update
  Use "download" option to download the scanner latest version package
  Use svn co to update the scanner and the database
  svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan
  
  
  Target: http://localhost:9001/joomla
  
  Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
  X-Powered-By: PHP/5.3.8
  

  
  

  Then, it will try to detect if there are security mechanics in place on the server or web application such as a IDS (Intrusion Detection System) or an application firewall from the Joomla system.

  ## Checking if the target has deployed an Anti-Scanner measure
  
  [!] Scanning Passed ..... OK
  
  ## Detecting Joomla! based Firewall ...
  
  [!] No known firewall detected!
  

  
  

  Afterwards, it will begin the fingerprinting analysis of the Joomla system in order to retrieve its version.

  ## Fingerprinting in progress ...
  
  ~Generic version family ....... [1.5.x]
  
  ~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]
  
  * Deduced version range is : [1.5.12 - 1.5.14]
  
  ## Fingerprinting done.
  

  
  

  Once the initial analysis is completed, it will begin with the vulnerability scanning and verification of the repository list of know vulnerabilities on the web application. As the active scan continues, it will verify the presence of the vulnerabilities by sending a petition including the payload (if required) based on the repository list.

  Vulnerabilities Discovered
  ==========================
  
  # 1
  Info -> Generic: htaccess.txt has not been renamed.
  Versions Affected: Any
  Check: /htaccess.txt
  Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
  Vulnerable? Yes

  
  

  The tool will continue with the scanning until all tests on the repository list are completed. Once completed, it will display the results of the vulnerability scanning in which are presented the number of vulnerabilities identified within the application, name and directory of the exported results and the scanning total time.

  # 2
  Info -> Generic: Unprotected Administrator directory
  Versions Affected: Any
  Check: /administrator/
  Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf Vulnerable? Yes
  …
  
  # 42
  Info -> Component: JA T3-Framework Directory Traversal Vulnerability
  Versions Affected: any
  Check: /index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1
  Exploit: /index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1
  Vulnerable? No
  
  …
  
  There are 5 vulnerable points in 43 found entries!
  
  ~Done saving result as report/localhost:9001_joomla-joexploit.htm
  
  ~[*] Time Taken: 1 min and 14 sec
  ~[*] Send bugs, suggestions, contributions to joomscan@yehg.net

  
  

  Finally, the scanning reports will be available on the tool directory on the “reports” folder (no custom export path option).

  Reports example:

  
  
  

  
  
  

  Resources:

  Link: https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
  Author(s): Aung Khant
  Contact: aungkhant [at] yehg.net
  http://yehg.net/lab
  License: GNU GPL Versión 3