Posted on 3 Comments

Tiki Wiki Unauthenticated File Upload exploit

Hello aspiring hackers. In this howto, we will see another file upload exploit , this time in  Tiki Wiki CMS Groupware version <=15.1. Tiki Wiki CMS Groupware or simply Tiki, originally known as TikiWiki, is a free and open source Wiki-based content management system and online office suite.  It contains a number of collaboration features allowing it to operate as a Groupware. Groupware is an application software designed to help people involved in a common task to achieve their goals.

This exploit takes advantage of a RFI vulnerability in one of the 3rd party components, ELFinder 2.0. This component comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload a PHP file.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options required to run this exploit.

Set the target as shown below and check if it is vulnerable using “check“command.

Type command “show payloads” to see the payloads we can set to this exploit. Set the payload as I have set below.

Check the options once again after setting the payload. They should look like below.

Let’s run this exploit by typing command “run”. We can see that we successfully got the meterpreter shell on the target as shown below.

That’s all in this article. Learn how File Upload Exploits work. Want to learn Ethical Hacking with Real World Scenarios? Subscribe to our Digital Magazine.

Posted on

WordPress user enumeration with Metasploit

Good morning friends. Not all vulnerabilities are unauthenticated, sometimes we require credentials to exploit a vulnerability like the WordPress ajax loadmore Php upload exploit we saw in one of  previous howtos. But how do we get these credentials. Metasploit has an auxiliary module for WordPress user enumeration. Let’s see how this exploit works.

Start Metasploit and load the wordpress user enumeration exploit as shown below. Type command “show options” to see the options we can specify. We can see a variety of options. All the options are self explanatory but let us see some of the options.

The “BLANK_PASSWORDS” option if set will check if any of the users are without any password. The “VERBOSE”option will display more clearly what the module is doing. The “USERNAME” and “PASSWORD” option will check for single username and password respectively. The “USER_AS_PASS” option will check whether the username itself is being used as password. The USER_FILE and PASS_FILE are used to specify file for usernames and passwords to enumerate respectively. The VALIDATE_USERS option will first validate if user exists on the target even before trying to crack his password. The “USER_PASS” file option allows us to specify the same file for username and password as shown below. Here I have specified a wordlist consisting of most common passwords as the USER_PASS file.

When we execute the module, we can see that it will first validate all the usernames.

What if we know the username? The first question is how will we know the username. Just go through one of our previous howto : WordPress vulnerability assessment  with WPSCAN. The tool gave use a hint that username is “root”. Now we will set the username as root, specify a common password dictionary as password file as shown below.

When I run the script, it confirms that the username is valid and tries all words in the dictionary as password one by one.

After some time we can see that we successfully cracked the password for user “root” as “123456”.

HOW TO STAY SAFE:

Never use not only common passwords but also common usernames for your websites. Still most of the people tend to use common usernames like admin, administrator etc. and common passwords.

Posted on Leave a comment

WordPress version detection with Metasploit

Hello aspiring hackers. In this article we will learn about a WordPress Version Detection Module. WordPress is one of the most popular CMS available for websites.  Its latest release to time, 4.5 has been downloaded 40,446,377 times till editing of this howto. But being popular in field of hacking has its own disadvantages. This Metasploit  Module performs wordpress version detectionlatest version suffers from oEmbed Denial of Service (DoS), Password Change via Stolen Cookie and Redirect Bypass vulnerabilities.

Similarly every version of WordPress has some vulnerability or other. But how do we find out which version of WordPress is the site running. Metasploit has an auxiliary module for WordPress version detection. Let’s see how it works.

Start Metasploit and load the module. Type command “show options” to see the options we required for this module.

Multiple IP addresses can be set as shown below. I am trying five targets.

After assigning IP addresses, type command “run” to execute the exploit. The first target is my own. As you can see, our two of our targets responded with their version. But what about others? Maybe a firewall is blocking our request or maybe our targeturi is wrong. Please try this scan with targeturi set to “/” and also “/wordpress” for better results.

By the way, version 4.1 suffers from a arbitrary file upload vulnerability. See how to perform complete WordPress vulnerability scan with WPscan  on a WordPress website.

Posted on Leave a comment

Joomla Enumeration with Metasploit

Hello aspiring hackers. Previously we have seen how to perform Joomla version enumeration  with Metasploit. Metasploit also has a module for Joomla webpages enumeration which can be useful in seeing pages of a Joomla website which can give further information about the website.

Start Metasploit and load the module as shown below.  Type command “show options” to see the options we need to set.

joomla enumeration

As other auxiliary options, it has RHOSTS option instead of RHOST option. We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

Type command “run” to execute the exploit. We will get the result as shown below.

Want to learn Ethical Hacking in Real World Scenarios? subscribe to our Digital Magazine.

Posted on 2 Comments

Joomla Plugin enumeration with Metasploit

Good evening aspiring ethical hackers. Joomla is one of the most popular CMS for websites. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Last month hackers found many vulnerabilities in so many extensions of Joomla.

But how do we find out Joomla websites with this vulnerable plugins installed. Once again, Metasploit saves the day for us as it has an auxiliary module for Joomla plugin enumeration. Start Metasploit and load the module as shown below.

This module has Rhosts option instead of Rhost option as we generally scan multiple IP addresses to check for vulnerable websites. Set the IP addresses as shown below with space between each IP address.

Now type command “run” to see the plugins installed on all these websites.

How does this module work? If you have seen in the first image, this module takes the list of plugins to enumerate from file “usr/share/metasploit-framework/data/wordlists/joomla.txt”. I have little knowledge whether this file is updated as fast as the Joomla plugins developed.  You can open this file with any text editor as shown below.

If the component you want to search for is not listed, you can make your own entry as shown below. I have added two components here, which are vulnerable to sql injection but not included in the file before. Save and close the file.

I run the scan again and found one Joomla website with this plugin installed.  Happy hacking.

Posted on Leave a comment

Hacking WordPress with Revslider Exploit

Hello aspiring hackers. In this howto we will learn about hacking wordpress with Revslider plugin exploit. This howto is a direct sequel to our previous howto  WordPress vulnerability assessment with WPscan, so I suggest you go through that how to first and look out for the Easter eggs. This howto is based on one of the vulnerabilities we found in our previous howto.

To those newbies, who don’t know what is revolution slider,  it is a popular plugin used by many wordpress websites. Well, I am sure you have heard about Panama papers leak. Yeah, I’m talking about the leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. It has been identified that Mossack Fonseca was using a vulnerable version of WordPress revslider plugin which resulted in the hack. All versions of the plugin from 2.1.7 to 3.0.95 are vulnerable to the attack.

This exploit was made public last year but still there are many wordpress websites using the vulnerable plugin( as with the case of Mossack fonseca ). Now let us see how this exploit works in Metasploit. Start Metasploit and search for our exploit as shown below.

Load the exploit as shown below.

Set the required options as shown below.

Set the required payload. Here for illustration I am setting the famous meterpreter payload.

You can also check if your target is vulnerable by using “check” command as shown below.( But we already know our target is vulnerable).

You can execute the exploit by typing “exploit”. If all went well, you will get the meterpreter shell on victim system.

That was all about hacking wordpress with Revslider plugin exploit.

Posted on 3 Comments

WordPress vulnerability assessment with WPscan

Good Evening friends. Hope you’re fine. After focusing on Joomla for some time, with this howto I have decided to focus on another popular CMS, that is WordPress. This howto is a pre-prequel to one of my articles on how to hack wordpress right here. This howto will have two other sequels and watch out for some easter eggs in this howto. ( Mind my talk about sequels,prequels and easter eggs, but did I tell you I am a big Marvel fan). Ok, ok, ok. Now let’s begin. The tool we will use here is called WPscan. WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues and also for enumeration. It is by default installed in Kali Linux Sana. Now open a terminal and update our tool by typing command as shown below.

To scan a wordpress website, you have to give the url as shown below. For this howto, I am using a local installation of wordpress as target.  Assign the target as shown below. The scan will start as shown below.

Here are the screenshots of result of this scan. . As you can see we have  13 vulnerabilities in the present installation and the vulnerabilities are given below.

One of the easiest ways to hack a wordpress site is to exploit the plugins installed in the target as most of the wordpress vulnerabilities nowadays exist in the plugins installed on it. So it is very important to enumerate the plugins installed on our wordpress target. We can enumerate the plugins using the “enumerate” option as shown below.

The scan result will be as shown below.( And there you have the first Easter egg). So totally we found four plugins. The first one is Ajax Load More Plugin. As the red exclamation mark shows, it is vulnerable and we have seen how to exploit this vulnerability in the sequel I told you about. If you haven’t gone through it, it’s here.

The second plugin is the vulnerable version of Akismet.

The third vulnerable plugin is the WordPress Slider revolution plugin. We will see more about this in our next howto.

Another important aspect to find vulnerabilities in the wordpress is its theme.  Now let’s enumerate the theme as shown below. The vulnerabilities present in the theme are given below.

After that let’s enumerate the users in our remote target as shown below.

We can see that the only username in our target. That’s WPscan for you. Hope it was helpful to you and wait for the sequels.

Posted on 2 Comments

Find out Joomla version with Metasploit

Hello aspiring hackers. In this howto, we will see how to find out Joomla version with Metasploit. Many a times a vulnerability is released saying that so and so version of a specific software has so and so vulnerability and an exploit is released for that vulnerability. In order for an exploit to work successfully it becomes necessary to find our target’s exact version. For example, take Joomla, a popular CMS. Recently we have seen Joomla HTTP Header Unauthenticated Remote Code Execution exploit which affects Joomla versions 1.5.0 to 3.4.5. We have also seen another exploit  “Joomla Error-Based SQL Injection exploit for enumeration ”  which affects Joomla versions 3.2 to 3.4.4. To successfully exploit these vulnerabilities, it becomes important to first fingerprint the Joomla version of our target. Luckily Metasploit has an auxiliary module to find out the exact version of our Joomla target. Today we will see fingerprinting Joomla version with Metasploit. Before we start Metasploit, open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. Now start Metasploit and load the module given below. Type command “show options” to see the required options for this module.

We need to set two options: rhosts( which is target IP addresses ) and targeturi. Set targeturi as shown below. Coming to “rhosts” option, copy and paste the IP addresses we got in our shodan search giving space between each IP address as shown below.  Here I have given five IP addresses.

Check whether all options are set correctly by typing command “show options“.

Next it’s time to run our exploit. Type command “run” and you will get the results as shown below. From our results we can conclude that all of the five targets may be vulnerable to Joomla HTTP Header Unauthenticated Remote Code Execution exploit and targets 2 and 3 may be vulnerable to Joomla Error-Based SQL Injection exploit for enumeration exploit.

Posted on Leave a comment

Joomscan : Vulnerability assessment of Joomla

Joomla is one of the most popular  CMS which is widely used for its flexibility, user-friendliness and extensibility. The downside of  popularity in software world is that it becomes a target for hackers.  We have just recently seen how to exploit some recent vulnerabilities in Joomla. It would be pretty helpful if the users or testers know the vulnerabilities in their Joomla CMS before any hacker takes advantage of them. Joomscan is one such tool which will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

Joomscan has features like

Exact version Probing
Common Joomla! based web application firewall detection
Searching known vulnerabilities of Joomla! and its components
Reporting to Text & HTML output
Immediate update capability via scanner or svn.

Joomscan is installed by default in Kali Linux. Now let’s see how to use this tool. Open a terminal and type command “joomscan update” first. We will update the tool first.

Once the tool is updated as shown above, type command “joomscan” to see the options as shown below.

Next, give the target joomla website as shown below. In this howto, I’m using my own Joomla website.

The result would seem like below. Below we see that our target doesn’t have any firewall, it’s server is apache and it is powered by PHP version 5.3.10. Unfortunately it didn’t detect the version. Hmm, no probs.

Next it will scan for vulnerabilities and check whether if this site is vulnerable for a particular vulnerability as shown below.

At the end, it will show us the number of vulnerabilities present in our target.

We can see that our target has 2 vulnerabilities as shown in the above image. We will see how to exploit those vulnerabilities in our future howtos. But for now we have successfully performed a vulnerability assessment of our target.

Posted on 2 Comments

Hack Joomla with Remote Code Execution

Hello Aspiring Hackers. In this howto, we will see how to hack joomla with a RCE exploit. Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database.

We also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialization of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. Joomla has recently released a patch for this vulnerability. Now let us see how to use the Joomla HTTP Header Unauthenticated Remote Code Execution exploit. Start Metasploit. and search for the exploit as shown below.

Type command “show options to see the required options.

Set the remote IP address and set the payload as shown below.

Type command “check” to see whether the target is vulnerable.

Next type command “exploit” to execute the exploit. You will get the remote system’s shell as shown below.

That is how to hack joomla with remote code execution exploit. See how to find out the joomla version running on the target machine.