adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/auxiliary/scanner/http/joomla_plugins.md
T
William Vu ade9c23772 Don't be lazy and spell out "introduction" in docs 
This was unfortunately my doing, and then people copied me.
2019-09-30 16:58:00 -05:00

144 lines
5.1 KiB
Markdown
Raw Blame History

## Introduction
This module scans for Joomla Content Management System running on a web server for components/plugins.
The list can be found in [data/wordlists/joomla.txt](https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/joomla.txt).
## Usage
```
msf5 > use auxiliary/scanner/http/joomla_plugins
msf5 auxiliary(scanner/http/joomla_plugins) > set rhosts 192.168.2.39
rhosts => 192.168.2.39
msf5 auxiliary(scanner/http/joomla_plugins) > run
[+] Plugin: /?1.5.10-x
[+] Plugin: /?1.5.11-x-http_ref
[+] Plugin: /?1.5.11-x-php-s3lf
[+] Plugin: /?1.5.3-path-disclose
[+] Plugin: /?1.5.3-spam
[+] Plugin: /?1.5.8-x
[+] Plugin: /?1.5.9-x
[+] Plugin: /?j1012-fixate-session
[+] Plugin: /administrator/
[+] Plugin: /administrator/components/
[+] Plugin: /administrator/components/com_admin/
[+] Plugin: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
[+] Plugin: /administrator/index.php?option=com_searchlog&act=log
[+] Plugin: /components/com_banners/
[+] Plugin: /components/com_content/
[+] Page: /index.php?option=com_content
[+] Plugin: /components/com_mailto/
[+] Plugin: /components/com_search/
[+] Page: /index.php?option=com_search
[+] Plugin: /components/com_users/
[+] Page: /index.php?option=com_users
[+] Plugin: /index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1
[+] Vulnerability: Potential LFI
[+] Plugin: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
[+] Page: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming using Joomscan
The `-ec` flag is used to enumerate components/plugins.
```
# joomscan -u 192.168.2.39 -ec
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.5
+---++---==[Update Date : [2018/03/13]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : KLOT
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.2.39 ...
...snip...
[+] Enumeration component (com_ajax)
[++] Name: com_ajax
Location : http://192.168.2.39/components/com_ajax/
Directory listing is enabled : http://192.168.2.39/components/com_ajax/
[+] Enumeration component (com_banners)
[++] Name: com_banners
Location : http://192.168.2.39/components/com_banners/
Directory listing is enabled : http://192.168.2.39/components/com_banners/
[+] Enumeration component (com_contact)
[++] Name: com_contact
Location : http://192.168.2.39/components/com_contact/
Directory listing is enabled : http://192.168.2.39/components/com_contact/
[+] Enumeration component (com_content)
[++] Name: com_content
Location : http://192.168.2.39/components/com_content/
Directory listing is enabled : http://192.168.2.39/components/com_content/
[+] Enumeration component (com_contenthistory)
[++] Name: com_contenthistory
Location : http://192.168.2.39/components/com_contenthistory/
Directory listing is enabled : http://192.168.2.39/components/com_contenthistory/
[+] Enumeration component (com_fields)
[++] Name: com_fields
Location : http://192.168.2.39/components/com_fields/
Directory listing is enabled : http://192.168.2.39/components/com_fields/
[+] Enumeration component (com_finder)
[++] Name: com_finder
Location : http://192.168.2.39/components/com_finder/
Directory listing is enabled : http://192.168.2.39/components/com_finder/
[+] Enumeration component (com_mailto)
[++] Name: com_mailto
Location : http://192.168.2.39/components/com_mailto/
Directory listing is enabled : http://192.168.2.39/components/com_mailto/
Installed version : 3.1
[+] Enumeration component (com_media)
[++] Name: com_media
Location : http://192.168.2.39/components/com_media/
Directory listing is enabled : http://192.168.2.39/components/com_media/
[+] Enumeration component (com_newsfeeds)
[++] Name: com_newsfeeds
Location : http://192.168.2.39/components/com_newsfeeds/
Directory listing is enabled : http://192.168.2.39/components/com_newsfeeds/
[+] Enumeration component (com_search)
[++] Name: com_search
Location : http://192.168.2.39/components/com_search/
Directory listing is enabled : http://192.168.2.39/components/com_search/
[+] Enumeration component (com_users)
[++] Name: com_users
Location : http://192.168.2.39/components/com_users/
Directory listing is enabled : http://192.168.2.39/components/com_users/
[+] Enumeration component (com_wrapper)
[++] Name: com_wrapper
Location : http://192.168.2.39/components/com_wrapper/
Directory listing is enabled : http://192.168.2.39/components/com_wrapper/
Installed version : 3.1
```
Reference in New Issue View Git Blame Copy Permalink