Posted on

Joomla enumeration with Metasploit

Hello, aspiring ethical hackers. In this article, you will learn how to perform Joomla enumeration with Metasploit. Although its share is less than WordPress in CMS usage, Joomla is still one of the top 5 used CMS. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Metasploit has some modules which can be used to enumerate a website using Joomla.

Version Detection

The first Metasploit module you will learn about is the version detection module of Joomla. Prior to starting Metasploit, we open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. We collect some.

Next, we start Metasploit and load the joomla_version auxiliary module given below. Type command “show options” to see the required options for this module.

We need to set two options for this module to do its job: RHOSTS (which are target IP addresses) and Targeturi. Set Targeturi as shown below. Coming to “RHOSTS” option, we copy and paste the IP addresses we got in our Shodan search giving space between each IP address as shown below.  Here I have given five IP addresses.

Check whether all options are set correctly by typing command “show options“.

All the options are set. Next, it’s time to run our exploit. Type command “run” and you will get the results as shown below.

As readers can see, the versions of Joomla running on the target machines are displayed.

Plugin Enumeration

Once we know the version of Joomla running on the target website, the next important information to find out is about the extensions installed on the target Joomla. Metasploit has a module for that too. Since the Joomla extensions or components are similar to WordPress plugins, this module is called as Joomla Plugin enumeration module. Load the module as shown below.

Just like the earlier module, this module too can be used to scan multiple targets at once. Set the IP addresses of targets as shown below with space between each IP address.

Next, execute the module.

As readers can see, all the plugins installed on the target Joomla site are displayed. But how does this module scan for plugins?  The list of plugins this module scans are in file  “usr/share/metasploit-framework/data/wordlists/joomla.txt”.  

If the plugin you want to scan for is not in this list, you can just add it manually by opening this file with any text editor.

Don’t forget to save changes after making them. I once again execute the module after applying changes and the result is shown below.

Webpage Enumeration

Metasploit also has a module for enumerating webpages on the Joomla target. This module can be useful in viewing pages of a Joomla website that can give further information about the website. Load the module as shown below.  Type command “show options” to see the options we need to set.

We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

Execute the exploit. We will get the result as shown below.

As readers can see, this module enumerated the webpages of our target. That is how we can perform Joomla enumeration with Metasploit. Read how to perform WordPress enumeration with Metasploit.

Posted on

WordPress Enumeration with Metasploit

Hello aspiring Ethical Hackers. In this article, readers will learn how to perform WordPress enumeration using Metasploit. WordPress is one of the most popular CMS available and as of 2021, 39.5% percent of websites are powered by WordPress. Hence gauging the security of WordPress installation is always important.

Metasploit has a few modules that can be used to perform WordPress Enumeration. Let’s see a few of them. The first module we will see is the WordPress Scanner module that scans for installed themes, installed plugins, installed WordPress version and more information about target WordPress.

Let’s see how this Module works. Start Metasploit and load the WordPress scanner module. Then, type command “show options” to see the options we require for this module. We are testing this module on WordPress installed on Ubuntu 20.

After all the options are set and the module is executed,

the module successfully detected the target WordPress version as 6.0. It also detected plugins installed on the target WordPress along with their versions. The module will also try to enumerate users although it failed to detect any users here.

This module can be useful to find if there are any vulnerabilities on the WordPress target.  For example, one of the plugins installed on this target wp_pie_register has an exploit module related to it.

Some of the vulnerabilities in WordPress require credentials for successful exploitation. Metasploit also has a WordPress login enumeration module that not only helps in user enumeration but also brute forcing their password.

Load the WordPress user enumeration exploit as shown below. Type command “show options” to see the options this module requires.

Assuming we have no idea about any user credentials on the target machine, the first thing to do is enumerating and validating usernames. So set “bruteforce” option to false as shown below.

Validating usernames is a process where we check if a particular username is present on the target WordPress site. We can validate a single username or many usernames using a wordlist. For example, let’s use the wordlist “common.txt” as users file. We also want to set the STOP_ON_SUCCESS option to TRUE. This will stop the enumeration as soon as we get one valid username.

Let’s execute the module now.

The module found one valid username on the target. It’s “admin”. Since we have found one valid username on the target, lets try to find out the password for this user. For doing this, we need to set the options as shown below.

ENUMERATE_USERNAMES  :    FALSE

VALIDATE_USERS   : FALSE

BRUTEFORCE : TRUE

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

The module found one successful LOGIN using credentials “admin : admin”. See how to perform WordPress Enumeration with WPScan.

Posted on

WordPress Reverse Shell : Multiple Methods

Hello aspiring Ethical Hackers. In this article you will learn about multiple WordPress reverse shell methods. As you all might already know, WordPress is a popular open source Content Management System (CMS) based on PHP and MySQL or MariaDB as database. It was released in year 2003.

SInce then, it grew out to be one of the most popular CMS around the world. It is used as blogging software, membership site and online store etc. WordPress is used by over 60 million websites.

In this article we will show you how to gain a reverse shell on a WordPress website once we have the credentials of the website. This is a comprehensive collection methods to gain reverse shell on WordPress.
 
This Tutorial assumes that you have already acquired WordPress credentials and can access the WordPress dashboard.

1. Reverse Shell Through Vulnerable Plugins

One of the reasons for the popularity of the WordPress CMS is its plugins. WordPress plugins are additional extensions that are used to extend the functionality of the WordPress CMS. WordPress has over 58,559 plugins. Sometimes these vulnerable plugins are the reason attackers get a reverse shell on the WordPress target.
There are many vulnerable plugins which can be downloaded from websites like Exploit Database. We will use one such WordPress plugin Responsive Thumbnail slider version 1.0. This version of the plugin has an arbitrary file upload vulnerability which is used to upload malicious payload into the website. Since this target doesn’t have this vulnerable plugin installed, let’s upload this plugin ourselves and activate it.

Once the plugin is uploaded and activated, Metasploit can be used to exploit this vulnerable plugin. Start Metasploit and load the wp_responsive_thumbnail_slider_upload module as shown below.

Use check command to confirm if the target is indeed vulnerable.

After setting the credentials and executing the module, a meterpreter session on the target is gained.

Here’s another famous wordpress plugin that can be exploited.

2. Reverse Shell Through Editing WordPress Theme

WordPress Themes enhance the look of the WordPress websites. The content of these theme can be edited to upload a reverse shell on the target. For this tutorial, we will upload the infamous C99 webshell. Here’s more about c99 web shell.

Here’s the 404.php page of the theme has been edited to copy the code of the C99 web shell into that page. Once the edited file is saved all that is needed to be done is visiting that page.

With C99 shell on the target website, there are a host of options to lay with.

3. Reverse Shell Through Uploading A Malicious Plugin

Uploading a malicious plugin is another way of gaining a reverse shell on a WordPress website. Github has many options of these WordPress malicious plugins. Let’s use one of them named malicious wordpress plugin that can be downloaded from here.

After navigating into the “malicious-wordpress-plugin” directory, execute the wordpwn.py script. It will show the usage of the script.

Execute the script again by setting the LHOST, LPORT and by enabling the handler option. i.e the “Y” option. This will start a Metasploit handler.

By this time, a new file named “malicious.zip” is created in the “malicious-wordpress-plugin” directory.

Upload this plugin into WordPress and activate it just like any other plugin.

This newly uploaded web shell can be accessed from two URLs given below

http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
http://(target)/wp-content/plugins/malicious/QwertyRocks.php

In this specific instance, the web shell got executed by visiting the first URL. This will give us a meterpreter session on the already listening handler.

4. Reverse Shell Through Metasploit Framework

Here is another simple method to gain a reverse shell. Metasploit Framework has a module that uploads a reverse shell as payload once the WordPress credentials are known.

Start Metasploit and load the exploit/unix/webapp/wp_admin_shell_upload module.

Set all the required options that includes credentials and execute the module.

This will give us a meterpreter session successfully. These are the four common methods through which a reverse shell can be achieved on the WordPress. Now, you decide Which is your favorite method of gaining a reverse shell on WordPress?

Posted on 3 Comments

Tiki Wiki Unauthenticated File Upload exploit

Hello aspiring hackers. In this howto, we will see another file upload exploit , this time in  Tiki Wiki CMS Groupware version <=15.1. Tiki Wiki CMS Groupware or simply Tiki, originally known as TikiWiki, is a free and open source Wiki-based content management system and online office suite.  It contains a number of collaboration features allowing it to operate as a Groupware. Groupware is an application software designed to help people involved in a common task to achieve their goals.

This exploit takes advantage of a RFI vulnerability in one of the 3rd party components, ELFinder 2.0. This component comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload a PHP file.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options required to run this exploit.

Set the target as shown below and check if it is vulnerable using “check“command.

Type command “show payloads” to see the payloads we can set to this exploit. Set the payload as I have set below.

Check the options once again after setting the payload. They should look like below.

Let’s run this exploit by typing command “run”. We can see that we successfully got the meterpreter shell on the target as shown below.

That’s all in this article. Learn how File Upload Exploits work. Want to learn Ethical Hacking with Real World Scenarios? Subscribe to our Digital Magazine.

Posted on

WordPress User enumeration with Metasploit

Good morning friends. Not all vulnerabilities are unauthenticated, sometimes we require credentials to exploit a vulnerability like the WordPress ajax loadmore Php upload exploit we saw in one of  previous howtos. But how do we get these credentials. Metasploit has an auxiliary module for WordPress user enumeration. Let’s see how this exploit works.

Start Metasploit and load the wordpress user enumeration exploit as shown below. Type command “show options” to see the options we can specify. We can see a variety of options. All the options are self explanatory but let us see some of the options.

The “BLANK_PASSWORDS” option if set will check if any of the users are without any password. The “VERBOSE”option will display more clearly what the module is doing. The “USERNAME” and “PASSWORD” option will check for single username and password respectively. The “USER_AS_PASS” option will check whether the username itself is being used as password. The USER_FILE and PASS_FILE are used to specify file for usernames and passwords to enumerate respectively. The VALIDATE_USERS option will first validate if user exists on the target even before trying to crack his password. The “USER_PASS” file option allows us to specify the same file for username and password as shown below. Here I have specified a wordlist consisting of most common passwords as the USER_PASS file.

When we execute the module, we can see that it will first validate all the usernames.

What if we know the username? The first question is how will we know the username. Just go through one of our previous howto : WordPress vulnerability assessment  with WPSCAN. The tool gave use a hint that username is “root”. Now we will set the username as root, specify a common password dictionary as password file as shown below.

When I run the script, it confirms that the username is valid and tries all words in the dictionary as password one by one.

After some time we can see that we successfully cracked the password for user “root” as “123456”.

HOW TO STAY SAFE:

Never use not only common passwords but also common usernames for your websites. Still most of the people tend to use common usernames like admin, administrator etc. and common passwords.