Recientemente descubrí un programa escrito en
perl, llamado
joomlascan, y que sirve precisamente para lo que os estáis imaginando, escanear páginas web que usen este famoso CMS en busca de vulnerabilidades que faciliten su posterior explotación.
El modo de realizar el escaneo no es demasiado complejo, intenta buscar la versión del núcleo y una vez la tenga, mira el listado de vulnerabilidades conocidas que hay. Luego también presenta la opción de detección de componentes de terceros y de posibles vulnerabilidades que afecten a estos.
Como ya mencioné, es un script en perl, que se puede descargar desde
aquí.
shell> joomlascan.pl
o |
.,---.,---.,-.-.| ,---. ,---.,---.,---.,---.
|| || || | || ,---|---`---.| ,---|| |
|`---'`---'` ' '`---'`---^ `---'`---'`---^` '
`---'
Usage: joomlascan.pl -u [options]
== Options ==
-p = proxy:port
-a = Admin folder (default '/administration')
-v = Check version
-c = Check components
-f = Check firewall
-co = Check bugs in core (require -v)
-cm = Check bugs in components (require -c)
-all = Check all (default)
-ot = Output to text file
-oh = Output to html file
-update = Search for updates
-force-update = Force to download updates
-about = About joomlascan
-version = Print version info
-h, -help = This help
== Examples ==
To scan running joomla version and components:
$ joomlascan.pl -u www.host.com -v -c
To scan version and core bugs:
$ joomlascan.pl -u www.host.com -v -co
Y a continuación un ejemplo del script en funcionamiento.
shell> joomlascan.pl -u www.host.com -v -c
o |
.,---.,---.,-.-.| ,---. ,---.,---.,---.,---.
|| || || | || ,---|---`---.| ,---|| |
|`---'`---'` ' '`---'`---^ `---'`---'`---^` '
`---'
Running on Apache/2.2.14 (Ubuntu)
Components:
com_content
Joomla! version [1.5.15.Stable]
Así hemos descubierto la versión de Joomla que se está ejecutando en una web conocida ;-). Si ahora nos interesa ver los fallos de seguridad que hay en el core, lo ejecutamos con la opción -co.
shell> joomlascan.pl -u www.host.com -v -co
o |
.,---.,---.,-.-.| ,---. ,---.,---.,---.,---.
|| || || | || ,---|---`---.| ,---|| |
|`---'`---'` ' '`---'`---^ `---'`---'`---^` '
`---'
Running on Apache/2.2.14 (Ubuntu)
Joomla! version [1.5.15.Stable]
Possible vulnerabilities in core:
================================
Possible vulnerability: Administration Pages Multiple HTML Injection Vulnerabilities
Versions affected: Joomla! [1.5.0-1.5.19]
Detail: Joomla! is prone to multiple HTML-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data.Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
More info: http://www.securityfocus.com/bid/41822
Possible vulnerability: HTML Injection and SQL Injection Vulnerabilities
Versions affected: Joomla! [1.5.0-1.5.18]
Detail: Joomla! is prone to multiple HTML-injection vulnerabilities and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.A successful exploit can allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
More info: http://www.securityfocus.com/bid/41743
Possible vulnerability: Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities
Versions affected: Joomla! [1.5.0-1.5.17]
Detail: Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
More info: http://www.securityfocus.com/bid/40444
Possible vulnerability: Session Fixation Vulnerability
Versions affected: Joomla! [1.5.0-1.5.15]
Detail: Joomla! is prone to a session-fixation vulnerability.Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application.
More info: http://www.securityfocus.com/bid/39708
Possible vulnerability: Persistant XSS Vulnerability
Versions affected: Joomla! 1.5.15
Detail: Persistant XSS Vulnerability
More info: http://inj3ct0r.com/exploits/11088
Y si queremos observar los posibles bug's que hay en los módulos que tenga instalados, simplemente la opción -cm, aunque para estos componentes no se contempla la versión del mismo instalada, sino únicamente el módulo, por lo que podemos encontrarnos con algún falso positivo.
shell> joomlascan.pl -u www.host.com -c -cm
o |
.,---.,---.,-.-.| ,---. ,---.,---.,---.,---.
|| || || | || ,---|---`---.| ,---|| |
|`---'`---'` ' '`---'`---^ `---'`---'`---^` '
`---'
Searching for components
Running on Apache/2.2.14 (Ubuntu)
Components:
com_content
Possible vulnerabilities in components:
======================================
Possible vulnerability: TinyBrowser Joomla! Component 'folders.php' Local File Include Vulnerability
Versions affected: Lunarvis TinyBrowser 1.41.6
Detail: The TinyBrowser component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
More info: http://www.securityfocus.com/bid/335843
Possible vulnerability: XStandard Component Directory Traversal Vulnerability
Versions affected: Joomla XStandard
Detail: The XStandard component for Joomla! is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
More info: http://www.securityfocus.com/bid/33143
Possible vulnerability: Component com_content File Upload Vulnerability
Versions affected: com_content
Detail: Joomla Component com_content File Upload Vulnerability
More info: http://inj3ct0r.com/exploits/14165
Lo que luego se puede hacer con cada una de las posibles vulnerabilidades ya es cosa de cada atacante, pero como aplicación de auditoría interna esta herramienta puede resultar muy útil. Como siempre, la forma de estar protegido, tener el sistema lo más actualizado posible.