owasp / joomscan Goto Github PK
View Code? Open in Web Editor NEWOWASP Joomla Vulnerability Scanner Project https://www.secologist.com/
Home Page: https://www.secologist.com/open-source-projects
License: GNU General Public License v3.0
OWASP Joomla Vulnerability Scanner Project https://www.secologist.com/
Home Page: https://www.secologist.com/open-source-projects
License: GNU General Public License v3.0
The exploit database is hard to maintain,
moving it to yaml, makes it human readable and much easier to maintain and contribute to.
Hi !
thanks for this incredible work !
is there any way to update the database vulnerability ?
the database is now only for joomla website which is build before 2018...
Joomla! Component Amblog 1.0 - Multiple SQL Injections
https://www.exploit-db.com/exploits/14596
This vulnerability was not detected by JoomScan although it exists and tested successfully with SQLMap and manual exploitation techniques.
When I was tested joomla sites by the joomscan, I found the incorrect report about components vulnerability.
It's 2 issues. Please fix it.
Not report vulnerability even if sites has components vulnerability.
I guess root cause is variable scope that is incorrect.
In the components.pl, variable as comversion is use in version compare.
So you shouldn't define at line 47 with local variable.
(for example, define at 42(my $comversion) then use at 47($comversion = $1))
Not report CVE reference.
I guess root cause is compare the strings that is incorrect.
In the components.pl at line 78, you should compare @matches[3] and /^-$/ because of /-/ is used as null at local vulnerability db.
Executed command
perl joomscan.pl --url <URL> --ec
Actual report
Name: *****
Location : <URL>/components/<com>/
Directory listing is enabled : <URL>/components/<com>/
Installed version : *.*
[!] We found the component "****", but since the component version was not available we
cannot ensure that it's vulnerable, please test it yourself. <- incorrect
Title : ****
Reference : https://www.exploit-db.com/exploits/****
Fixed in : *.*
Expected report
Name: *****
Location : <URL>/components/<com>/
Directory listing is enabled : <URL>/components/<com>/
Installed version : *.*
[!] We found the component "****". <- expect
Title : ****
Reference : http://www.cvedetails.com/cve/**** <- expect
Reference : https://www.exploit-db.com/exploits/****
Fixed in : *.*
Hi,
Running joomscan against target with HTTPS, when https support ( LWP/Protocol/https.pm
) is not available, looks like there is Joomla detected on the target. Instead it should show some brief notification about missing https support in LWP.
Thanks
Hi,
Link to issues in README.md is incorrect:
https://github.com/rezasp/joomscan/joomscan
Should be:
https://github.com/rezasp/joomscan/issues
If we try to directly run joomscan on Linux, we get:
$ ./joomscan.pl
zsh: ./joomscan.pl: bad interpreter: /usr/bin/perl^M: no such file or directory
If we convert it with dos2unix
:
$ ./joomscan.pl
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Usage:
joomscan.pl <target>
joomscan.pl -u http://target.com/joomla
joomscan.pl -m targets.txt
Options:
joomscan.pl --help
Maybe other files should also be converted.
The current code is written in a way that makes it hard to contribute:
To make the code easier to maintain I suggest that:
use warnings
and use strict
package
As a first step I would:
modules/
in a separate namespace, like JoomScan/Check
I would only change the code that needs to be changed to make the code work,
to keep the extensive changes to a minimum.
after this is done, I would proceed with the rest of the code.
some example:
modules/robots.pl orig:
dprint("Checking robots.txt existing");
$response=$ua->get("$target/robots.txt");
my $headers = $response->headers();
my $content_type =$headers->content_type();
if ($response->status_line =~ /200/g and $content_type =~ /text\/plain/g) {
$source=$response->decoded_content;
my @lines = split /\n/, $source;
$probot="";
foreach my $line( @lines ) {
if($line =~ /llow:/g){
$between=substr($line, index($line, ': ')+2, 99999);
$probot.="$target$between\n";
}
}
tprint("robots.txt is found\npath : $target/robots.txt \n\nInteresting path found from
robots.txt\n$probot");
}else{
fprint("robots.txt is not found");
}
would become JoomScan/Check/RobotsTXT.pm:
package JoomScan::Check::RobotsTXT;
use warnings;
use strict;
use JoomScan::Logging qw(tprint dprint fprint)
sub check {
my ($ua, $target) = @_;
dprint("Checking robots.txt existing");
my $response = $ua->get("$target/robots.txt");
my $headers = $response->headers();
my $content_type =$headers->content_type();
my $probot="";
if ($response->status_line =~ /200/g and
$content_type =~ /text\/plain/g) {
my $source = $response->decoded_content;
my @lines = split /\n/, $source;
foreach my $line( @lines ) {
if($line =~ /llow:/g){
my $between=substr($line, index($line, ': ')+2, 99999);
$probot.="$target$between\n";
}
}
tprint("robots.txt is found\npath : $target/robots.txt \n\nInteresting path found from robots.txt\n$probot");
}else{
fprint("robots.txt is not found");
}
}
1;
I think that code could still be improved, but I would leave that for the next round of refactoring
Hi there,
I've just checked a brand new joomla site with Joomscan (after a lot of hardening) and had an interesting report come back.
I'm absolutely, 100% on Joomla 3.8.6. I'm on a VPS that was spun up just for this project, which started when Joomla was on 3.8.5.
Joomscan has reported back the version as 2.5.
Also, it's listed a bunch of vulnerabilities that shouldn't be relevant to this version:
https://www.dropbox.com/s/91k515an0gt9uv1/Screenshot%202018-03-15%2015.29.13.png?dl=0
It's also found an admin directory that doesn't exist: http://www.mysite.com/admin/
Given that it's misreporting these things, that's probably a good thing, insofar as an actual attacker will pursue outdated vectors. However I'm about to go through pen-testing and I'm curious to see if they'll just report back this list of vulnerabilities as if it's actually the case.
Regards,
Kelsey
It's possible to follow the app "spider's redirect" when the JoomScan is discovering those components?
By example:
If this URL not exists:
Joomla will redirect to index.php and for the JoomScan it is a false positive result.
I believe, it's better to identify these behaviors and show a detailed output into terminal.
Hi,
If robots.txt
contains Disallow line with no path, joomscan incorrectly displays the interesting path.
robots.txt:
User-agent: *
Disallow:
Output:
[++] robots.txt is found
path : http://target.example.org/robots.txt
Interesting path found from robots.txt
http://target.example.orgisallow:
Hi,
If joomscan is called from directory, where is reports
sub-dir does not exist, reports are not saved, but output stitll shows the message: Your Reports : reports/$target
.
It should be mentioned when scan is started that no reports will be created because of the missing directory, or directory should be created.
Thanks.
As soon as issue #17 is integrated
Add a possibility to install joomscan with perl tools (MAKEFILE.PL ...)
Hi,
To attract more attention to the issues in HTML reports, I'd suggest to display negative results from security perspective in red color. Currently this is reversed - for example if no backup file is found, the message is red.
Thanks.
Some ISP here block web page when infected with simple http authorization (and providing customer with login and password).
Unfortunately joomscan cannot handle such case - cannot pass http authorization.
Would be nice if it did, so please consider this feature request.
Hi,
I get this message with my Joomla website, no matter what timeout value I take. I cannot mention the website here, but I do seem to have the same problem with another Joomla site of mine,
BC
Hello !
I get the following warning message when running joomscan :
Use of uninitialized value in pattern match (m//) at ./joomscan.pl line 1009
is everything normal ?
Thanks for this great tool
when i run in command :
joomscan-master/$ perl joomscan.pl
it doesn't work and it's back to nothing
note : i'm using windows seven
Hello,
I wanted to update the package in Kali Linux with the new joomscan:
https://bugs.kali.org/view.php?id=4608
But the released version (0.0.1) is older than the version in Kali (0.0.4).
If I understood correctly, the tool has been rewritten but it has the same name and I would like to keep the same package name in Kali.
It would be nice if you could increase the version number to a higher version than 0.0.4.
Hi,
When checking the HTTPS URLs, admin page link has incorrect syntax between protocol and host. Instead https://host
there is https:/host
( missing /
). So the link looks like this:
https:/www.example.com/administrator/
Hi,
Scan runs even if there is no correct host or web service running at target ( i.e. joomscan.pl -u http://not.adomain ).
In case of network error during the initial connection scan should stop.
dear sir,
no update command is given. i want to update the program with new vulnerabilities.
This issue is raised after I published Joomla update on our production env. Either there is something wrong with --timeout
parameter (not registered) or core is not functioning properly.
Target: http://www.example.com/
$ ./joomscan/joomscan.pl -u http://www.example.com/ --timeout 50000
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.6
+---++---==[Update Date : [2018/08/08]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : #BHUSA
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://www.example.com/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] The target is not alive!
Hi,
Components scan output is assigned to config.php.x file scan in reports, but it should have a separate section:
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
[++] components are not found
It could also have a separate "Checking components ..." line in output ( so it is logged that it has been performed ).
Thanks
I have tried few times to scan the latest Joomla default install. This seems to be not working. The version shows as 1.5 and just lists the vulnerabilities in there, but all the vuls reported are false positives. Am I missing something in the setup
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 1.5
[+] Core Joomla Vulnerability
[++] Joomla! 1.5 Beta 2 - 'Search' Remote Code Execution
EDB : https://www.exploit-db.com/exploits/4212/
Joomla! 1.5 Beta1/Beta2/RC1 - SQL Injection
CVE : CVE-2007-4781
EDB : https://www.exploit-db.com/exploits/4350/
Joomla! 1.5.x - (Token) Remote Admin Change Password
CVE : CVE-2008-3681
EDB : https://www.exploit-db.com/exploits/6234/
Joomla! 1.5.x - Cross-Site Scripting / Information Disclosure
CVE: CVE-2011-4909
EDB : https://www.exploit-db.com/exploits/33061/
Joomla! 1.5.x - 404 Error Page Cross-Site Scripting
EDB : https://www.exploit-db.com/exploits/33378/
Joomla! 1.5.12 - read/exec Remote files
EDB : https://www.exploit-db.com/exploits/11263/
Joomla! 1.5.12 - connect back Exploit
EDB : https://www.exploit-db.com/exploits/11262/
Joomla! Plugin 'tinybrowser' 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)
CVE : CVE-2011-4908
EDB : https://www.exploit-db.com/exploits/9926/
Joomla! 1.5 - URL Redirecting
EDB : https://www.exploit-db.com/exploits/14722/
Joomla! 1.5.x - SQL Error Information Disclosure
EDB : https://www.exploit-db.com/exploits/34955/
Joomla! - Spam Mail Relay
EDB : https://www.exploit-db.com/exploits/15979/
Joomla! 1.5/1.6 - JFilterInput Cross-Site Scripting Bypass
EDB : https://www.exploit-db.com/exploits/16091/
Joomla! < 1.7.0 - Multiple Cross-Site Scripting Vulnerabilities
EDB : https://www.exploit-db.com/exploits/36176/
Joomla! 1.5 < 3.4.5 - Object Injection Remote Command Execution
CVE : CVE-2015-8562
EDB : https://www.exploit-db.com/exploits/38977/
Joomla! 1.0 < 3.4.5 - Object Injection 'x-forwarded-for' Header Remote Code Execution
CVE : CVE-2015-8562 , CVE-2015-8566
EDB : https://www.exploit-db.com/exploits/39033/
Joomla! 1.5.0 Beta - 'pcltar.php' Remote File Inclusion
CVE : CVE-2007-2199
EDB : https://www.exploit-db.com/exploits/3781/
Joomla! Component xstandard editor 1.5.8 - Local Directory Traversal
CVE : CVE-2009-0113
EDB : https://www.exploit-db.com/exploits/7691/
So I've opened up a privileged cmd window and I have perl installed, then I navigate to the folder where I extracted joomscan. However when I run the basic command perl joomscan.pl --url www.mywebsite.com
I'm just returned to the prompt, nothing happens. I've checked the "reports" folder but nothing there either.
Windows 10 Professional, 64bit
dear sir,
can you explain the way by which database is update and add new entry in it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.