1 files changed, 147 insertions, 0 deletions
diff --git a/scripts/http-joomla-brute.nse b/scripts/http-joomla-brute.nse
new file mode 100644
index 0000000..2935110
--- /dev/null
+++ b/scripts/http-joomla-brute.nse
@@ -0,0 +1,147 @@
+local brute = require "brute"
+local creds = require "creds"
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+
+description = [[
+Performs brute force password auditing against Joomla web CMS installations.
+
+This script initially reads the session cookie and parses the security token to perfom the brute force password auditing.
+It uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored using the
+credentials library.
+
+Joomla's default uri and form names:
+* Default uri:<code>/administrator/index.php</code>
+* Default uservar: <code>username</code>
+* Default passvar: <code>passwd</code>
+]]
+
+---
+-- @usage
+-- nmap -sV --script http-joomla-brute
+--   --script-args 'userdb=users.txt,passdb=passwds.txt,http-joomla-brute.hostname=domain.com,
+--                  http-joomla-brute.threads=3,brute.firstonly=true' <target>
+-- nmap -sV --script http-joomla-brute <target>
+--
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | http-joomla-brute:
+-- |   Accounts
+-- |     xdeadbee:i79eWBj07g => Login correct
+-- |   Statistics
+-- |_    Perfomed 499 guesses in 301 seconds, average tps: 0
+--
+-- @args http-joomla-brute.uri Path to authentication script. Default: /administrator/index.php
+-- @args http-joomla-brute.hostname Virtual Hostname Header
+-- @args http-joomla-brute.uservar sets the http-variable name that holds the
+--                                 username used to authenticate. Default: username
+-- @args http-joomla-brute.passvar sets the http-variable name that holds the
+--                                 password used to authenticate. Default: passwd
+-- @args http-joomla-brute.threads sets the number of threads. Default: 3
+--
+-- Other useful arguments when using this script are:
+-- * http.useragent = String - User Agent used in HTTP requests
+-- * brute.firstonly = Boolean - Stop attack when the first credentials are found
+-- * brute.mode = user/creds/pass - Username password iterator
+-- * passdb = String - Path to password list
+-- * userdb = String - Path to user list
+--
+--
+-- @see http-form-brute.nse
+
+author = "Paulino Calderon <calderon@websec.mx>"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"intrusive", "brute"}
+
+
+portrule = shortport.http
+
+local DEFAULT_JOOMLA_LOGIN_URI = "/administrator/index.php"
+local DEFAULT_JOOMLA_USERVAR = "username"
+local DEFAULT_JOOMLA_PASSVAR = "passwd"
+local DEFAULT_THREAD_NUM = 3
+
+local security_token
+local session_cookie_str
+
+---
+--This class implements the Brute library (https://nmap.org/nsedoc/lib/brute.html)
+---
+Driver = {
+  new = function(self, host, port, options)
+    local o = {}
+    setmetatable(o, self)
+    self.__index = self
+    o.host = stdnse.get_script_args('http-joomla-brute.hostname') or host
+    o.port = port
+    o.uri = stdnse.get_script_args('http-joomla-brute.uri') or DEFAULT_JOOMLA_LOGIN_URI
+    o.options = options
+    return o
+  end,
+
+  connect = function( self )
+    return true
+  end,
+
+  login = function( self, username, password )
+    stdnse.debug2("HTTP POST %s%s with security token %s\n", self.host, self.uri, security_token)
+    local response = http.post( self.host, self.port, self.uri, { cookies = session_cookie_str, no_cache = true, no_cache_body = true }, nil,
+      { [self.options.uservar] = username, [self.options.passvar] = password,
+      [security_token] = 1, lang = "", option = "com_login", task = "login" } )
+
+    if response.body and not( response.body:match('name=[\'"]*'..self.options.passvar ) ) then
+      stdnse.debug2("Response:\n%s", response.body)
+      return true, creds.Account:new( username, password, creds.State.VALID)
+    end
+    return false, brute.Error:new( "Incorrect password" )
+  end,
+
+  disconnect = function( self )
+    return true
+  end,
+
+  check = function( self )
+    local response = http.get( self.host, self.port, self.uri )
+    stdnse.debug1("HTTP GET %s%s", stdnse.get_hostname(self.host),self.uri)
+    -- Check if password field is there
+    if ( response.status == 200 and response.body:match('type=[\'"]password[\'"]')) then
+      stdnse.debug1("Initial check passed. Launching brute force attack")
+      session_cookie_str = response.cookies[1]["name"].."="..response.cookies[1]["value"];
+      if response.body then
+        local _
+        _, _, security_token = string.find(response.body, '<input type="hidden" name="(%w+)" value="1" />')
+      end
+      if security_token then
+        stdnse.debug2("Security Token found:%s", security_token)
+      else
+        stdnse.debug2("The security token was not found.")
+        return false
+      end
+
+      return true
+    else
+      stdnse.debug1("Initial check failed. Password field wasn't found")
+    end
+    return false
+  end
+
+}
+---
+--MAIN
+---
+action = function( host, port )
+  local status, result, engine
+  local uservar = stdnse.get_script_args('http-joomla-brute.uservar') or DEFAULT_JOOMLA_USERVAR
+  local passvar = stdnse.get_script_args('http-joomla-brute.passvar') or DEFAULT_JOOMLA_PASSVAR
+  local thread_num = tonumber(stdnse.get_script_args("http-joomla-brute.threads")) or DEFAULT_THREAD_NUM
+
+  engine = brute.Engine:new( Driver, host, port, { uservar = uservar, passvar = passvar } )
+  engine:setMaxThreads(thread_num)
+  engine.options.script_name = SCRIPT_NAME
+  status, result = engine:start()
+
+  return result
+end