Joomscan, analizando Joomla!
El uso de los CMS para la creación de páginas webs es algo que está a la orden del día.
Ya hace años que este tipo de gestores de contenido se están actualizando ofreciendo a los usuarios cada vez mas funcionalidades.
El usuario que instala este tipo de gestores no ha de tener ni idea de informática, ya se han encargado de hacerlo muy sencillo para que se pueda instalar.
El uso masivo de este tipo de plataformas en usuarios sin los conocimientos necesarios y sin una concienciación en seguridad, hace que los ciber-criminales tengan com objetivo este tipo de plataforma.
Es por eso que han surgido herramientas que nos harán la tarea de analizar estos CMS en busca de vulnerabilidades.
En el artículo de hoy usaremos joomscan, una herramienta de Owasp para el análisis de CMS del tipo Joomla.
Primero accedemos al sitio web de la herramienta => https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
Nos la bajamos y empezamos a usarla.
Para ejecutarla es sencillo
perl joomscan.pl -u WEB
Con eso Joomscan hará el resto, vamos a ver el output de un escaneo realizado.
darkmac:trunk marc$ perl joomscan.pl -u WEB
..|''|| '|| '||' '|' | .|'''.| '||''|.
.|' || '|. '|. .' ||| ||.. ' || ||
|| || || || | | || ''|||. ||...|'
'|. || ||| ||| .''''|. . '|| ||
''|...|' | | .|. .||. |'....|' .||.=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.4
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================
Vulnerability Entries: 673
Last update: October 22, 2012Target:
Server: Apache/2.2.8 (Ubuntu) DAV/2 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
## Checking if the target has deployed an Anti-Scanner measure[!] Scanning Passed ..... OK
## Detecting Joomla! based Firewall ...[!] No known firewall detected!
## Fingerprinting in progress ...~Generic version family ....... [1.5.x]
~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]
* Deduced version range is : [1.5.12 - 1.5.14]
## Fingerprinting done.
## 4 Components Found in front page ##com_joomap com_profesores
com_eventlist com_contentVulnerabilities Discovered
==========================# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes# 2
Info -> Generic: Unprotected Administrator directory
Versions Affected: Any
Check: /administrator/
Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf
Vulnerable? N/A# 3
Info -> Core: Multiple XSS/CSRF Vulnerability
Versions Affected: 1.5.9 <=
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.
Vulnerable? No# 4
Info -> Core: JSession SSL Session Disclosure Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /?1.5.8-x
Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session.
Vulnerable? No# 5
Info -> Core: Frontend XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /?1.5.10-x
Exploit: Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
Vulnerable? No# 6
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.11 <=
Check: /libraries/phpxmlrpc/xmlrpcs.php
Exploit: /libraries/phpxmlrpc/xmlrpcs.php
Vulnerable? No
Nos ha echo mediante fuerza bruta la comprobación de los plugins instalados.
Este script también es capaz de identificar medidas de protección que tengamos activadas:
## Checking if the target has deployed an Anti-Scanner measure
[!] Scanning Passed ..... OK
## Detecting Joomla! based Firewall ...[!] A Joomla! RS-Firewall (com_rsfirewall/com_firewall) is detected.
[!] The vulnerability probing may be logged and protected.[!] A Joomla! J-Firewall (com_jfw) is detected.
[!] The vulnerability probing may be logged and protected.[!] A SecureLive Joomla!(mod_securelive/com_securelive) firewall is detected.
[!] The vulnerability probing may be logged and protected.[!] A SecureLive Joomla! firewall is detected.
[!] The vulnerability probing may be logged and protected.[!] FWScript(from firewallscript.com) is likely to be used.
[!] The vulnerability probing may be logged and protected.[!] A Joomla! security scanner (com_joomscan/com_joomlascan) is detected.
[!] It is likely that webmaster routinely checks insecurities.[!] A security scanner (com_securityscanner/com_securityscan) is detected.
[!] A Joomla! jSecure Authentication is detected.
[!] You need additional secret key to access /administrator directory
[!] Default is jSecure like /administrator/?jSecure 😉[!] A Joomla! GuardXT Security Component is detected.
[!] It is likely that webmaster routinely checks for insecurities.[!] A Joomla! JoomSuite Defender is detected.
[!] The vulnerability probing may be logged and protected.
Joomscan puede complementar nuestras pruebas manuales en una auditoría web y también otras apliaciones como w3af o similares, sin duda a tener en cuenta.