Posted on 3 Comments

Tiki Wiki Unauthenticated File Upload exploit

Hello aspiring hackers. In this howto, we will see another file upload exploit , this time in  Tiki Wiki CMS Groupware version <=15.1. Tiki Wiki CMS Groupware or simply Tiki, originally known as TikiWiki, is a free and open source Wiki-based content management system and online office suite.  It contains a number of collaboration features allowing it to operate as a Groupware. Groupware is an application software designed to help people involved in a common task to achieve their goals.

This exploit takes advantage of a RFI vulnerability in one of the 3rd party components, ELFinder 2.0. This component comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload a PHP file.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options required to run this exploit.

Set the target as shown below and check if it is vulnerable using “check“command.

Type command “show payloads” to see the payloads we can set to this exploit. Set the payload as I have set below.

Check the options once again after setting the payload. They should look like below.

Let’s run this exploit by typing command “run”. We can see that we successfully got the meterpreter shell on the target as shown below.

That’s all in this article. Learn how File Upload Exploits work. Want to learn Ethical Hacking with Real World Scenarios? Subscribe to our Digital Magazine.

Posted on

WordPress User enumeration with Metasploit

Good morning friends. Not all vulnerabilities are unauthenticated, sometimes we require credentials to exploit a vulnerability like the WordPress ajax loadmore Php upload exploit we saw in one of  previous howtos. But how do we get these credentials. Metasploit has an auxiliary module for WordPress user enumeration. Let’s see how this exploit works.

Start Metasploit and load the wordpress user enumeration exploit as shown below. Type command “show options” to see the options we can specify. We can see a variety of options. All the options are self explanatory but let us see some of the options.

The “BLANK_PASSWORDS” option if set will check if any of the users are without any password. The “VERBOSE”option will display more clearly what the module is doing. The “USERNAME” and “PASSWORD” option will check for single username and password respectively. The “USER_AS_PASS” option will check whether the username itself is being used as password. The USER_FILE and PASS_FILE are used to specify file for usernames and passwords to enumerate respectively. The VALIDATE_USERS option will first validate if user exists on the target even before trying to crack his password. The “USER_PASS” file option allows us to specify the same file for username and password as shown below. Here I have specified a wordlist consisting of most common passwords as the USER_PASS file.

When we execute the module, we can see that it will first validate all the usernames.

What if we know the username? The first question is how will we know the username. Just go through one of our previous howto : WordPress vulnerability assessment  with WPSCAN. The tool gave use a hint that username is “root”. Now we will set the username as root, specify a common password dictionary as password file as shown below.

When I run the script, it confirms that the username is valid and tries all words in the dictionary as password one by one.

After some time we can see that we successfully cracked the password for user “root” as “123456”.

HOW TO STAY SAFE:

Never use not only common passwords but also common usernames for your websites. Still most of the people tend to use common usernames like admin, administrator etc. and common passwords.

Posted on Leave a comment

WordPress Version detection with Metasploit

Hello aspiring hackers. In this article we will learn about a WordPress Version Detection Module. WordPress is one of the most popular CMS available for websites.  Its latest release to time, 4.5 has been downloaded 40,446,377 times till editing of this howto. But being popular in field of hacking has its own disadvantages. This Metasploit  Module performs wordpress version detectionlatest version suffers from oEmbed Denial of Service (DoS), Password Change via Stolen Cookie and Redirect Bypass vulnerabilities.

Similarly every version of WordPress has some vulnerability or other. But how do we find out which version of WordPress is the site running. Metasploit has an auxiliary module for WordPress version detection. Let’s see how it works.

Start Metasploit and load the module. Type command “show options” to see the options we required for this module.

Multiple IP addresses can be set as shown below. I am trying five targets.

After assigning IP addresses, type command “run” to execute the exploit. The first target is my own. As you can see, our two of our targets responded with their version. But what about others? Maybe a firewall is blocking our request or maybe our targeturi is wrong. Please try this scan with targeturi set to “/” and also “/wordpress” for better results.

By the way, version 4.1 suffers from a arbitrary file upload vulnerability. See how to perform complete WordPress vulnerability scan with WPscan  on a WordPress website.

Posted on Leave a comment

Joomla Enumeration with Metasploit

Hello aspiring hackers. Previously we have seen how to perform Joomla version enumeration  with Metasploit. Metasploit also has a module for Joomla webpages enumeration which can be useful in seeing pages of a Joomla website which can give further information about the website.

Start Metasploit and load the module as shown below.  Type command “show options” to see the options we need to set.

joomla enumeration

As other auxiliary options, it has RHOSTS option instead of RHOST option. We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

Type command “run” to execute the exploit. We will get the result as shown below.

Want to learn Ethical Hacking in Real World Scenarios? subscribe to our Digital Magazine.

Posted on 2 Comments

Joomla Plugin enumeration with Metasploit

Good evening aspiring ethical hackers. Joomla is one of the most popular CMS for websites. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Last month hackers found many vulnerabilities in so many extensions of Joomla.

But how do we find out Joomla websites with this vulnerable plugins installed. Once again, Metasploit saves the day for us as it has an auxiliary module for Joomla plugin enumeration. Start Metasploit and load the module as shown below.

This module has Rhosts option instead of Rhost option as we generally scan multiple IP addresses to check for vulnerable websites. Set the IP addresses as shown below with space between each IP address.

Now type command “run” to see the plugins installed on all these websites.

How does this module work? If you have seen in the first image, this module takes the list of plugins to enumerate from file “usr/share/metasploit-framework/data/wordlists/joomla.txt”. I have little knowledge whether this file is updated as fast as the Joomla plugins developed.  You can open this file with any text editor as shown below.

If the component you want to search for is not listed, you can make your own entry as shown below. I have added two components here, which are vulnerable to sql injection but not included in the file before. Save and close the file.

I run the scan again and found one Joomla website with this plugin installed.  Happy hacking.