Click-jacking on Joomla Powered Site Video PoC

Here is the Click-jacking Proof Of Concept video made by me. On the video, I show you how to pawn or hack a joomla powered site using click-jacking.

How it works :

- First a victim logged into his Joomla Powered site Administration Control Panel

- He didn’t logged out from the service

- He visited a malicious site

- He clicked on something (anything on the page)

- By the time he clicked, his Joomla Powered site password has been changed without his notice

Combining Click-jacking & CSRF, the clicked trigger a password change request to the Joomla site using the victim privilege. Thus the attack was success, the victim’s site admin password changed.

Here is the link : http://www.hackers.web.id/clickjacking-joomla.rar

Posted in CSRF, click-jacking | 10 Comments »

10 Responses

  1. badkiddies Says:
    November 28th, 2008 at 4:25 pm

    Nice video… tp apa msh ada mas… org lupa log out yah ??

    Bad tunggu video hacking selanjutnya mas…. :-)

    Best Regards,
    BadKiddies

  2. Zoiz Says:
    November 29th, 2008 at 11:18 am

    Masih dan sangat banyak. Bukan lupa log out sih, tapi sengaja tidak log out :D

  3. pl4y312 Says:
    December 9th, 2008 at 11:06 pm

    om, videonya dah gk ada niy… upload lagi dunk.. pliss… =D

  4. Zoiz Says:
    December 10th, 2008 at 9:16 am

    Re-uploaded :)

  5. Matthew Says:
    December 11th, 2008 at 5:39 pm

    Wah! Nice Blog post! Luckilly you remind me of this Joomla security zor.

  6. [cgi-error] Says:
    December 26th, 2008 at 2:22 am

    wow keren video nya ..
    but ada yg saya tanyakan ..

    di dlm video tersebut kan terjadinya di local pc .. dimana jelas2 tuh pc masih menyimpan cookies dari sang admin website batamcity” soal hacking with cookies silahkan cari di google”

    nah pertanyaan saya
    seumpama saya mengakses website batamcity di kota jakarta sedang anda berada di medan …
    apakah teknik clickjacking masih berlaku ?
    thx..

  7. Zoiz Says:
    December 26th, 2008 at 11:07 am

    Ehm, ga pengaruh dimana Anda berada, selama session administrator Anda belum expired, you are vulnerable to this :)

  8. kaitou kid Says:
    January 12th, 2009 at 9:15 am

    Om manah Upload yang Barunya??
    g bsa sedot neh….

  9. azwr Says:
    February 17th, 2009 at 10:02 am

    bos, ada scripnya nggak?

    mo aq coba..

  10. The Net of Worms – ClickJacking Delivered Worm « peluangbisnis-online.com Says:
    March 1st, 2010 at 8:21 pm

    [...] like the Click-Jacking style Joomla CMS hijacking. CSRF and Automation are needed to infect blogs, CMS, forums, and etc. Possible? Yes [...]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.