JoomScan - Hack Joomla Websites

Hacking Joomla Website , We see how to start the initial steps, gather as much information as possible. JoomScan is an Open Source tool written in Perl Language to scan Joomla websites , just like one we have for WordPress – WPScan. We jump right in without wasting time.

Download / Clone (git )- https://github.com/rezasp/joomscan

Clone – Open Terminal and type the below command

root@ETHICALHACKX:~# git clone https://github.com/rezasp/joomscan.git
Cloning into 'joomscan'...
remote: Enumerating objects: 21, done.
remote: Counting objects: 100% (21/21), done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 335 (delta 7), reused 1 (delta 0), pack-reused 314
Receiving objects: 100% (335/335), 272.96 KiB | 497.00 KiB/s, done.
Resolving deltas: 100% (154/154), done.
root@ETHICALHACKX:~# cd joomscan
root@ETHICALHACKX:~/joomscan# 

Now we can start scanning a website and fetch as much we can.

    ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
			(1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP


   Usage: 
    	joomscan.pl <target>
   	joomscan.pl -u http://target.com/joomla
      joomscan.pl -m targets.txt
   
   
      Options: 
   	joomscan.pl --help

root@ETHICALHACKX:~/joomscan# 

One of the virtual machines have a Joomla instance running . So lets scan that and check the results. DC-3 ( Vulnhub )

root@ETHICALHACKX:~/joomscan# perl joomscan.pl --url dc-3
Processing http://dc-3 ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing : 
http://dc-3/administrator/components
http://dc-3/administrator/modules
http://dc-3/administrator/templates
http://dc-3/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://dc-3/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found


Your Report : reports/dc-3/
root@ETHICALHACKX:~/joomscan# 

The Result we can see gives not much, but few noticeable information
– Version of Joomla running is – 3.7.0
– administrator url is – http://dc-3/administrator/
So now what can we do with this information ? Search a exploit.

Searchsploit gave result quickly that we have available exploit for Joomla 3.7.0 . We will cover the same exploit when exploiting DC-3 (Vulnhub) in a separate post.

root@ETHICALHACKX:~/joomscan# searchsploit joomla 3.7.0
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injec | exploits/php/webapps/42033.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
root@ETHICALHACKX:~/joomscan# 

This exploit can be used with sqlmap command to get the table names and even stored username password .

Hope this added something to your existing hacking arsenal.

We also have a similar script for wordpress called WPScan, Read about WPScan here – https://www.ethicalhackx.com/how-to-hack-wordpress-website-wpscan/

What Do You Think on This ? Say Here