owasp / joomscan Goto Github PK

The exploit database is hard to maintain,
moving it to yaml, makes it human readable and much easier to maintain and contribute to.

Hi !
thanks for this incredible work !

is there any way to update the database vulnerability ?
the database is now only for joomla website which is build before 2018...

Joomla! Component Amblog 1.0 - Multiple SQL Injections
https://www.exploit-db.com/exploits/14596

This vulnerability was not detected by JoomScan although it exists and tested successfully with SQLMap and manual exploitation techniques.

When I was tested joomla sites by the joomscan, I found the incorrect report about components vulnerability.
It's 2 issues. Please fix it.

1. Not report vulnerability even if sites has components vulnerability.
   I guess root cause is variable scope that is incorrect.
   In the components.pl, variable as comversion is use in version compare.
   So you shouldn't define at line 47 with local variable.
   (for example, define at 42(my $comversion) then use at 47($comversion = $1))

2. Not report CVE reference.
   I guess root cause is compare the strings that is incorrect.
   In the components.pl at line 78, you should compare @matches[3] and /^-$/ because of /-/ is used as null at local vulnerability db.

Executed command
perl joomscan.pl --url <URL> --ec

Actual report

Name: *****
Location : <URL>/components/<com>/
Directory listing is enabled : <URL>/components/<com>/
Installed version : *.*
[!] We found the component "****", but since the component version was not available we
cannot ensure that it's vulnerable, please test it yourself.             <- incorrect
Title : **** 
Reference : https://www.exploit-db.com/exploits/****
Fixed in : *.*

Expected report

Name: *****
Location : <URL>/components/<com>/
Directory listing is enabled : <URL>/components/<com>/
Installed version : *.*
[!] We found the component "****".                          <- expect
Title : ****
Reference : http://www.cvedetails.com/cve/****              <- expect
Reference : https://www.exploit-db.com/exploits/****
Fixed in : *.*

Hi,

Running joomscan against target with HTTPS, when https support ( LWP/Protocol/https.pm ) is not available, looks like there is Joomla detected on the target. Instead it should show some brief notification about missing https support in LWP.

Thanks

Hi,

Link to issues in README.md is incorrect:
https://github.com/rezasp/joomscan/joomscan
Should be:
https://github.com/rezasp/joomscan/issues

If we try to directly run joomscan on Linux, we get:

$ ./joomscan.pl 
zsh: ./joomscan.pl: bad interpreter: /usr/bin/perl^M: no such file or directory

If we convert it with dos2unix:

$ ./joomscan.pl
    ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
			(1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP


   Usage: 
    	joomscan.pl <target>
   	joomscan.pl -u http://target.com/joomla
      joomscan.pl -m targets.txt
   
   
      Options: 
   	joomscan.pl --help

Maybe other files should also be converted.

The current code is written in a way that makes it hard to contribute:

• All modules share the same namespace,
• there are global variables, that are reused in several modules
• Almost no functions are existent

To make the code easier to maintain I suggest that:

• the code should use use warnings and use strict
  everywhere.
• all modules should follow the perl way to create modules with package
• most global variables are made local

As a first step I would:

• put the '*pl' files in modules/ in a separate namespace, like JoomScan/Check
• transform modules to packages
• add 'use warnings' and use 'strict'
• make the code work

I would only change the code that needs to be changed to make the code work,
to keep the extensive changes to a minimum.

after this is done, I would proceed with the rest of the code.

some example:
modules/robots.pl orig:

dprint("Checking robots.txt existing");
$response=$ua->get("$target/robots.txt");
my $headers  = $response->headers();
my $content_type =$headers->content_type();
if ($response->status_line =~ /200/g and $content_type =~ /text\/plain/g) {
	$source=$response->decoded_content;
	my @lines = split /\n/, $source;
	$probot="";
	foreach my $line( @lines ) { 
		if($line =~ /llow:/g){
			$between=substr($line, index($line, ': ')+2, 99999);
			$probot.="$target$between\n";
		}
	}
	tprint("robots.txt is found\npath : $target/robots.txt \n\nInteresting path found from 
        robots.txt\n$probot");
}else{
	 fprint("robots.txt is not found");
}

would become JoomScan/Check/RobotsTXT.pm:

package JoomScan::Check::RobotsTXT;
use warnings;
use strict;
use JoomScan::Logging qw(tprint dprint fprint)

sub check {
  my ($ua, $target) = @_;
  dprint("Checking robots.txt existing");
  my $response = $ua->get("$target/robots.txt");
  my $headers  = $response->headers();
  my $content_type =$headers->content_type();
  my $probot="";
  if ($response->status_line =~ /200/g and 
      $content_type =~ /text\/plain/g) {
	my $source = $response->decoded_content;
	my @lines = split /\n/, $source;
	foreach my $line( @lines ) { 
	  if($line =~ /llow:/g){
	    my $between=substr($line, index($line, ': ')+2, 99999);
	    $probot.="$target$between\n";
	  }
	}
	tprint("robots.txt is found\npath : $target/robots.txt \n\nInteresting path found from robots.txt\n$probot");
      }else{
	fprint("robots.txt is not found");
      }
}

1;

I think that code could still be improved, but I would leave that for the next round of refactoring

Hi there,

I've just checked a brand new joomla site with Joomscan (after a lot of hardening) and had an interesting report come back.

I'm absolutely, 100% on Joomla 3.8.6. I'm on a VPS that was spun up just for this project, which started when Joomla was on 3.8.5.

Joomscan has reported back the version as 2.5.

Also, it's listed a bunch of vulnerabilities that shouldn't be relevant to this version:

https://www.dropbox.com/s/91k515an0gt9uv1/Screenshot%202018-03-15%2015.29.13.png?dl=0

It's also found an admin directory that doesn't exist: http://www.mysite.com/admin/

Given that it's misreporting these things, that's probably a good thing, insofar as an actual attacker will pursue outdated vectors. However I'm about to go through pen-testing and I'm curious to see if they'll just report back this list of vulnerabilities as if it's actually the case.

Regards,

Kelsey

It's possible to follow the app "spider's redirect" when the JoomScan is discovering those components?
By example:
If this URL not exists:

http://myhost.inf/components/com_aardvertiser/WS_FTP.LOG

Joomla will redirect to index.php and for the JoomScan it is a false positive result.

I believe, it's better to identify these behaviors and show a detailed output into terminal.

Hi,
If robots.txt contains Disallow line with no path, joomscan incorrectly displays the interesting path.
robots.txt:

User-agent: *
Disallow:

Output:

[++] robots.txt is found
path : http://target.example.org/robots.txt 

Interesting path found from robots.txt
http://target.example.orgisallow:

Hi,

If joomscan is called from directory, where is reports sub-dir does not exist, reports are not saved, but output stitll shows the message: Your Reports : reports/$target.

It should be mentioned when scan is started that no reports will be created because of the missing directory, or directory should be created.

Thanks.

As soon as issue #17 is integrated
Add a possibility to install joomscan with perl tools (MAKEFILE.PL ...)

Hi,

To attract more attention to the issues in HTML reports, I'd suggest to display negative results from security perspective in red color. Currently this is reversed - for example if no backup file is found, the message is red.

Thanks.

Some ISP here block web page when infected with simple http authorization (and providing customer with login and password).

Unfortunately joomscan cannot handle such case - cannot pass http authorization.

Would be nice if it did, so please consider this feature request.

Hi,

I get this message with my Joomla website, no matter what timeout value I take. I cannot mention the website here, but I do seem to have the same problem with another Joomla site of mine,

BC

Hello !

I get the following warning message when running joomscan :
Use of uninitialized value in pattern match (m//) at ./joomscan.pl line 1009
is everything normal ?
Thanks for this great tool

when i run in command :
joomscan-master/$ perl joomscan.pl

it doesn't work and it's back to nothing

note : i'm using windows seven

see https://github.com/OWASP/joomscan/blob/master/joomscan.pl

Hello,
I wanted to update the package in Kali Linux with the new joomscan:
https://bugs.kali.org/view.php?id=4608
But the released version (0.0.1) is older than the version in Kali (0.0.4).

If I understood correctly, the tool has been rewritten but it has the same name and I would like to keep the same package name in Kali.

It would be nice if you could increase the version number to a higher version than 0.0.4.

Hi,

When checking the HTTPS URLs, admin page link has incorrect syntax between protocol and host. Instead https://host there is https:/host ( missing / ). So the link looks like this:
https:/www.example.com/administrator/

Hi,

Scan runs even if there is no correct host or web service running at target ( i.e. joomscan.pl -u http://not.adomain ).
In case of network error during the initial connection scan should stop.

error while executing the program "perl joomscan.pl"

dear sir,
no update command is given. i want to update the program with new vulnerabilities.

This issue is raised after I published Joomla update on our production env. Either there is something wrong with --timeout parameter (not registered) or core is not functioning properly.

Target: http://www.example.com/

$ ./joomscan/joomscan.pl  -u http://www.example.com/ --timeout 50000

    ____  _____  _____  __  __  ___   ___    __    _  _
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  (
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)

    --=[OWASP JoomScan
    +---++---==[Version : 0.0.6
    +---++---==[Update Date : [2018/08/08]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : #BHUSA
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://www.example.com/ ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] The target is not alive!

Hi,

Components scan output is assigned to config.php.x file scan in reports, but it should have a separate section:

[+] Checking sensitive config.php.x file
[++] Readable config files are not found
[++] components are not found

It could also have a separate "Checking components ..." line in output ( so it is logged that it has been performed ).

Thanks

I have tried few times to scan the latest Joomla default install. This seems to be not working. The version shows as 1.5 and just lists the vulnerabilities in there, but all the vuls reported are false positives. Am I missing something in the setup

[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 1.5

[+] Core Joomla Vulnerability
[++] Joomla! 1.5 Beta 2 - 'Search' Remote Code Execution
EDB : https://www.exploit-db.com/exploits/4212/

Joomla! 1.5 Beta1/Beta2/RC1 - SQL Injection
CVE : CVE-2007-4781
EDB : https://www.exploit-db.com/exploits/4350/

Joomla! 1.5.x - (Token) Remote Admin Change Password
CVE : CVE-2008-3681
EDB : https://www.exploit-db.com/exploits/6234/

Joomla! 1.5.x - Cross-Site Scripting / Information Disclosure
CVE: CVE-2011-4909
EDB : https://www.exploit-db.com/exploits/33061/

Joomla! 1.5.x - 404 Error Page Cross-Site Scripting
EDB : https://www.exploit-db.com/exploits/33378/

Joomla! 1.5.12 - read/exec Remote files
EDB : https://www.exploit-db.com/exploits/11263/

Joomla! 1.5.12 - connect back Exploit
EDB : https://www.exploit-db.com/exploits/11262/

Joomla! Plugin 'tinybrowser' 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)
CVE : CVE-2011-4908
EDB : https://www.exploit-db.com/exploits/9926/

Joomla! 1.5 - URL Redirecting
EDB : https://www.exploit-db.com/exploits/14722/

Joomla! 1.5.x - SQL Error Information Disclosure
EDB : https://www.exploit-db.com/exploits/34955/ 

Joomla! - Spam Mail Relay
EDB : https://www.exploit-db.com/exploits/15979/

Joomla! 1.5/1.6 - JFilterInput Cross-Site Scripting Bypass
EDB : https://www.exploit-db.com/exploits/16091/

Joomla! < 1.7.0 - Multiple Cross-Site Scripting Vulnerabilities
EDB : https://www.exploit-db.com/exploits/36176/

Joomla! 1.5 < 3.4.5 - Object Injection Remote Command Execution
CVE : CVE-2015-8562
EDB : https://www.exploit-db.com/exploits/38977/

Joomla! 1.0 < 3.4.5 - Object Injection 'x-forwarded-for' Header Remote Code Execution
CVE : CVE-2015-8562 , CVE-2015-8566 
EDB : https://www.exploit-db.com/exploits/39033/

Joomla! 1.5.0 Beta - 'pcltar.php' Remote File Inclusion
CVE : CVE-2007-2199
EDB : https://www.exploit-db.com/exploits/3781/

Joomla! Component xstandard editor 1.5.8 - Local Directory Traversal
CVE : CVE-2009-0113
EDB : https://www.exploit-db.com/exploits/7691/

So I've opened up a privileged cmd window and I have perl installed, then I navigate to the folder where I extracted joomscan. However when I run the basic command perl joomscan.pl --url www.mywebsite.com I'm just returned to the prompt, nothing happens. I've checked the "reports" folder but nothing there either.

Windows 10 Professional, 64bit

dear sir,
can you explain the way by which database is update and add new entry in it.