*Disclaimer: For education purpose only. Use at your own risk.*
Few days ago, Ahlspiess from TBD.My forum has released a script which is able to find any security holes that lies in a Joomla! based website. From the feedback in the forum or blogs, I can see most of them do not know how to use the script. (or maybe they just pretending don’t know 
)
To all skiddies, please pay full attention here!
Level: Beginner
Estimate time to finish: 5 minutes
Methodology
How the script works? The script will scan through the targeted website and find what components are used/available in the website. Next it will do search in Exploit-DB.com to find if there was any reported vulnerability about the components. If there is a report, then you can exploit and hack the website patch the components as needed. 
The Script
<?php
/*
jComDetect - Joomla Components Detection.
Copyright (C) 2011 Ahlspiess <ahlspiess@tbdsecurity.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
$jMe = new jComDetect;
class jComDetect {
var $argv;
function __construct() {
global $argv;
$this->argv = $argv;
if(!isset($this->argv[1])) {
$this->Help();
} else {
$this->argv = $argv;
$this->init();
}
}
function init() {
$content = $this->cURL($this->argv[1]);
if(!preg_match("/200 OK/", $content)) {
$this->msg("[-] Error! 404 Not Found");
exit;
} else {
print $this->jCheckComp($content);
}
}
function jCheckComp($content) {
$dupe = array();
$nstack = array();
preg_match_all("/Joomla\! (.*?) \-/", $content, $ver);
$this->msg("[+] Joomla version ".$ver[1][0]);
#$nstack[] = "joomla ".$ver[1][0];
preg_match_all("/\/component(s?)\/(.*?)\//", $content, $val_1);
preg_match_all("/option=(.*?)\&/", $content, $val_2);
$var1 = explode(',', str_replace("com_com_", "com_", join(',com_', $val_1[2])));
$var2 = $val_2[1];
$stack = array_merge($var1, $var2);
foreach($stack as $unstack) {
if(!isset($dupe[$unstack]) and !is_null($unstack) and !empty($unstack) and (preg_match("/com_/", $unstack))) {
$this->msg("[+] Founded {$unstack} Component");
$nstack[] = $unstack;
$dupe[$unstack] = true;
}
}
echo "[Debug]".__fVULN__."\n";
$this->fVuln($nstack);
}
function fVuln($c = array()) {
$content = "";
foreach($c as $com) {
$content .= $this->cURL("http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description={$com}&filter_exploit_text=&filter_author=&filter_platform=31&filter_type=6&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=");
}
preg_match_all("/\<a href=\"http\:\/\/www\.exploit\-db\.com\/exploits\/(.*?)\"\>(.*?)\n/", $content, $me);
for($i=0;$i<count($me[1]);$i++) {
$this->msg("[+] ".trim(str_replace("</a>", "", $me[2][$i]))."\n --> http://www.exploit-db.com/exploits/".trim($me[1][$i]));
}
}
function cURL($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, "jVulnComponent Crawler v1-Ahlspiess");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
if($data) {
return $data;
} else {
return 0;
}
}
function Help() {
$this->msg("Usage: php ".$this->argv[0]." <host/path>");
$this->msg("Example: php ".$this->argv[0]." www.joomla.org/joomla/");
$this->msg("Example: php ".$this->argv[0]." http://www.joomla.org/joomla/");
exit;
}
function msg($x) {
printf("%s\n", $x);
}
}
?>
The Steps
[1] Make sure you already have PHP installed in your computer. If no, then you may refer to Php.Net on how to install PHP in Windows. For Linux based environment (such as Ubuntu), you may use the terminal or Synaptic Package Manager. You also have to enable cURL. (Please do not ask how to install PHP here. )
[2] Save the script above as jscan.php for example. From the command prompt or terminal, execute the script by typing:
php jscan.php <the target url> // Example php jscan.php pisyek.com
[3] Done!
So, here I attached some of the screenshot to prove that the script is really works!
Note
[1] If somehow you find that no data appear after the execution (because the server is blocking our user agent), you just need to change the user agent’s name at line #87. For example:
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13");
[2] If you do not know what is SQL injection, Remote File Inclusion (RFI) or whatever it is, do some Google-ing or Yahoo-ing. (even Ask-ing also can )
Conclusion
The steps are very simple. So there is no reason why you cannot secure your Joomla! website. Do promote this post to your friends or admins or any webmasters you know.
*Majulah Skiddies Untuk Negara*
Pisyek Kumar is from Terengganu, Malaysia. A web developer extraordinaire, highly motivated on projects that involves utilization of his skills.
cantek…leh try ar pas ni
ryzalyusoff recently posted..How to build 9gag like header with CSS + Jquery
pergh, jadi hacker ah lepas nih.
Pisyek recently posted..5 Corporate Looking Free Joomla! 1.7 Templates
#terbaik. ley try nih. nice tutorial.
wpscan.php tak tunjuk sekali ? hehe
wpscan.php sooooonnnn~ hahahahaha. memang dalam perancangan nak tulis.
P.s: dengar khabar skrip tak mature lagi, malas la nak promot. hehehe.
Pisyek recently posted..What I learned today at UTP CampusCamp
Joomla sangat blurr…tunggu wpscan lak…cepatlah cepatlah cepatlah…tak sabar ni…hak hak hak…