Download The Joomla Hacking Compendium here. With great pleasure I hereby announce the availability of the new “The Joomla Hacking Compendium”. It contains almost 1000 lines of pure knowledge and shows you the way to hack and protect Joomla. It contains the following chapters: Please find an excerpt below:
Author: valentin
Download The Joomla Hacking Compendium here.
With great pleasure I hereby announce the availability of the new “The Joomla Hacking Compendium”. It contains almost 1000 lines of pure knowledge and shows you the way to hack and protect Joomla.
It contains the following chapters:
0x01 - Purpose of this document 0x02 - Introduction 0x03 - The Basics of Joomla 0x04 - The Joomla core 0x05 - Joomla extensions 0x06 - Hacking Joomla 0x07 - SEO, our strongest enemy 0x08 - Examples for Joomla SQL injections 0x09 - Examples for Joomla local file inclusions 0x10 - Examples for Joomla remote file inclusions 0x11 - Examples for Joomla XSSs/CSRFs 0x12 - How to protect your Joomla 0x13 - Conclusion and a look at Joomla's feature 0x14 - How to stay informed (or: the latest vulnerabilities) 0x15 - Useful tools 0x16 - Greetings and THX
Please find an excerpt below:
::
:: 0x04 - The Joomla core
::
Before inspecting the Joomla component attack vendors we first have a
look at the core.
Download Joomla somewhere and extract all files. Open the file
libraries/phpinputfilter/inputfilter.php
and look at the code:
----------------------------------------
var $tagsArray; // default = empty array
var $attrArray; // default = empty array
var $tagsMethod; // default = 0
var $attrMethod; // default = 0
var $xssAuto; // default = 1
var $tagBlacklist = array ('applet', 'body', 'bgsound' [...]
var $attrBlacklist = array ('action', 'background' [...]
----------------------------------------
As you can see, some filter methods of Joomla are based on blacklisting.
This knowledge can be used later to exploit potential vulnerabilities in
a better way. I find this method not very effective, btw.
While HTML tags containing "body" or "bgsound" will be filtered out
at input fields or URL parameters, they can be written in many ways,
e.g. like "bOdY" or "b o DY" etc. You are only limited by your
creativity and will find ways for tricking the blacklist of the
Joomla framework.
Another interesting part is this one (same file):
----------------------------------------
/*
* Is there a tag? If so it will certainly start with a '<'
*/
$tagOpen_start = strpos($source, '<');
while ($tagOpen_start !== false)
{
/*
* Get some information about the tag we are processing
*/
$preTag .= substr($postTag, 0, $tagOpen_start);
$postTag = substr($postTag, $tagOpen_start);
----------------------------------------
As you can see they assume that an HTML tag being used in XSS attacks
starts with a "<". In fact, I never use this character and many
XSS cheatsheets suggest this, too. With this information in mind,
you can most likely avoid being detected by the filters. You can start
your XSS string with "><tag... for example.
If you want to you can continue looking. You will find other filter
methods and, at the end of the file, there are also built in
mechanics which should help to prevent SQL injection vulnerabilities:
[...]
Comments on this entry (no comments)
Did you like this post? You can share your opinion with us! Simply click here.