I recently saw a tweet from Andre DiMino about wanting to see more hype around CMS hacking instead of letting it fall by the wayside. Given some of the more recent events with Operation Ababil, I kind of agree with him. This software is riddled with bugs and users often neglect updating their platforms in a timely manner. What’s worse is that you could update your platform instantly, but if you don’t do the same with your plug-ins then you could be as vulnerable if not more.
It’s been a while since I did any Joomla programming, but I remember default usernames and weak passwords being a huge issue. I wanted to run some brute-forcing code against the local sites I had, but was left with a lack of tools except for some ugly PHP code and confusing nmap scripts. Instead, I choose to hack up a Joomla brute-forcer and remember how everything worked.
If you your administrator panel is exposed to the public, then anyone can begin going at your site. It’s unlikely you are going to notice the attacks in progress and I would venture they are happening this minute. Joomla throws some security token associated with the login form on the page as a hidden variable (why are these still in practice?) and is included when making a POST to the server. One can simply look for page elements associated with the control panel to identify a successful login, otherwise they can keep chugging along.
The code itself uses the gevent network concurrency library to speed things up a bit, but the entire pool is ultimately blocked until all the greenlets finish their work. On fast network connections, say a university, you will get pretty good performance, but you need to be careful not to expand the worker pool too much as it will flood the server and return errors. Run the tool against your site and see how long it takes to crack your authentication!
And…here is the code!