Click-jacking on Joomla Powered Site Video PoC

On November 28, 2008, in CSRF, click-jacking, by Zoiz

Here is the Click-jacking Proof Of Concept video made by me. On the video, I show you how to pawn or hack a joomla powered site using click-jacking.

How it works :

- First a victim logged into his Joomla Powered site Administration Control Panel

- He didn’t logged out from the service

- He visited a malicious site

- He clicked on something (anything on the page)

- By the time he clicked, his Joomla Powered site password has been changed without his notice

Combining Click-jacking & CSRF, the clicked trigger a password change request to the Joomla site using the victim privilege. Thus the attack was success, the victim’s site admin password changed.

Here is the link : http://www.hackers.web.id/clickjacking-joomla.rar

If you enjoyed this article, please consider sharing it!
Digg Delicious Digg

Tagged with:  

13 Responses to “Click-jacking on Joomla Powered Site Video PoC”

  1. badkiddies says:
    November 28, 2008 at 4:25 pm

    Nice video… tp apa msh ada mas… org lupa log out yah ??

    Bad tunggu video hacking selanjutnya mas…. :-)

    Best Regards,
    BadKiddies

  2. Zoiz says:
    November 29, 2008 at 11:18 am

    Masih dan sangat banyak. Bukan lupa log out sih, tapi sengaja tidak log out :D

  3. pl4y312 says:
    December 9, 2008 at 11:06 pm

    om, videonya dah gk ada niy… upload lagi dunk.. pliss… =D

  4. Zoiz says:
    December 10, 2008 at 9:16 am

    Re-uploaded :)

  5. Matthew says:
    December 11, 2008 at 5:39 pm

    Wah! Nice Blog post! Luckilly you remind me of this Joomla security zor.

  6. [cgi-error] says:
    December 26, 2008 at 2:22 am

    wow keren video nya ..
    but ada yg saya tanyakan ..

    di dlm video tersebut kan terjadinya di local pc .. dimana jelas2 tuh pc masih menyimpan cookies dari sang admin website batamcity” soal hacking with cookies silahkan cari di google”

    nah pertanyaan saya
    seumpama saya mengakses website batamcity di kota jakarta sedang anda berada di medan …
    apakah teknik clickjacking masih berlaku ?
    thx..

  7. Zoiz says:
    December 26, 2008 at 11:07 am

    Ehm, ga pengaruh dimana Anda berada, selama session administrator Anda belum expired, you are vulnerable to this :)

  8. kaitou kid says:
    January 12, 2009 at 9:15 am

    Om manah Upload yang Barunya??
    g bsa sedot neh….

  9. azwr says:
    February 17, 2009 at 10:02 am

    bos, ada scripnya nggak?

    mo aq coba..

  10. The Net of Worms – ClickJacking Delivered Worm « peluangbisnis-online.com says:
    March 1, 2010 at 8:21 pm

    [...] like the Click-Jacking style Joomla CMS hijacking. CSRF and Automation are needed to infect blogs, CMS, forums, and etc. Possible? Yes [...]

  11. The Net of Worms – ClickJacking Delivered Worm « Precious Blog says:
    April 19, 2010 at 11:00 am

    [...] like the Click-Jacking style Joomla CMS hijacking. CSRF and Automation are needed to infect blogs, CMS, forums, and etc. Possible? Yes [...]

  12. The Net of Worms – ClickJacking Delivered Worm says:
    April 25, 2010 at 5:08 am

    [...] like the Click-Jacking style Joomla CMS hijacking. CSRF and Automation are needed to infect blogs, CMS, forums, and etc. Possible? Yes [...]

  13. The Net of Worms – ClickJacking Delivered Worm | Internet Products Info Blog says:
    July 26, 2010 at 6:28 am

    [...] like the Click-Jacking style Joomla CMS hijacking. CSRF and Automation are needed to infect blogs, CMS, forums, and etc. Possible? Yes [...]

Leave a Reply