Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
backtrack 5 r1
/pentest/web/scanners/joomscan
Usage: ./joomscan.pl -u <string> -x proxy:port
-u <string> = joomla Url
==Optional==
-x <string:int> = proXy to tunnel
-c <string> = Cookie (name=value;)
-g “<string>” = desired useraGent string(within “)
-nv = No Version fingerprinting check
-nf = No Firewall detection check
-nvf/-nfv = No version+firewall check
-pe = Poke version only and Exit
-ot = Output to Text file (target-joexploit.txt)
-oh = Output to Html file (target-joexploit.htm)
-vu = Verbose (output every Url scan)
-sp = Show completed Percentage
~Press ENTER key to continue
Example: ./joomscan.pl -u victim.com -x localhost:8080
Check: ./joomscan.pl check
– Check if the scanner update is available or not.
Update: ./joomscan.pl update
– Check and update the local database if newer version is available.
Download: ./joomscan.pl download
– Download the scanner latest version as a single zip file – joomscan-latest.zip.
Defense: ./joomscan.pl defense
– Give a defensive note.
About: ./joomscan.pl story
– A short story about joomscan.
Read: ./joomscan.pl read DOCFILE
DOCFILE – changelog,release_note,readme,credits,faq,owasp_project
root@bt:/pentest/web/scanners/joomscan# ./joomscan.pl -u IP-Address
=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.3-b
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================
Use of uninitialized value $lastupdate in concatenation (.) or string at ./joomscan.pl line 1274.
Vulnerability Entries: 550 November 20, 2011
Last update:
Use “update” option to update the database
Use “check” option to check the scanner update
Use “download” option to download the scanner latest version package
Use svn co to update the scanner
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan
Target: http://IP-Address
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
## NOTE: The Administrator URL was renamed. Bruteforce it. ##
## None of /administrator, /admin, /manage ##
## Checking if the target has deployed an Anti-Scanner measure
[!] Scanning Passed ….. OK
## Detecting Joomla! based Firewall …
[!] .htaccess shipped with Joomla! is being deployed for SEO purpose
[!] It contains some defensive mod_rewrite rules
[!] Payloads that contain strings (mosConfig,base64_encode,<script>
GLOBALS,_REQUEST) wil be responsed with 403.
## Fingerprinting in progress …
~Unable to detect the version. Is it sure a Joomla?
## Fingerprinting done.
Vulnerabilities Discovered
==========================
# 1
Info -> Component: Joomla Component Mosets Tree 2.1.5 Shell Upload
Versions Affected: 2.1.5
Check: /http:/{target}/components/com_mtree/img/listings/o/{id}.phpwhere{id}
Exploit: /http://{target}/components/com_mtree/img/listings/o/{id}.php where {id}
Vulnerable? N/A
There is a vulnerable point in 1 found entries!
~[*] Time Taken: 22 sec
~[*] Send bugs, suggestions, contributions to joomscan@yehg.net
myexploit 
2 thoughts on “web application – owasp joomla! vulnerability scanner”