Posted on

Joomscan : Vulnerability assessment of Joomla

Joomla is one of the most popular  CMS which is widely used for its flexibility, user-friendliness and extensibility. The downside of  popularity in software world is that it becomes a target for hackers.  We have just recently seen how to exploit some recent vulnerabilities in Joomla. It would be pretty helpful if the users or testers know the vulnerabilities in their Joomla CMS before any hacker takes advantage of them. Joomscan is one such tool which will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

Joomscan has features like

Exact version Probing
Common Joomla! based web application firewall detection
Searching known vulnerabilities of Joomla! and its components
Reporting to Text & HTML output
Immediate update capability via scanner or svn.

Joomscan is installed by default in Kali Linux. Now let’s see how to use this tool. Open a terminal and type command “joomscan update” first. We will update the tool first.

Once the tool is updated as shown above, type command “joomscan” to see the options as shown below.

Next, give the target joomla website as shown below. In this howto, I’m using my own Joomla website.

The result would seem like below. Below we see that our target doesn’t have any firewall, it’s server is apache and it is powered by PHP version 5.3.10. Unfortunately it didn’t detect the version. Hmm, no probs.

Next it will scan for vulnerabilities and check whether if this site is vulnerable for a particular vulnerability as shown below.

At the end, it will show us the number of vulnerabilities present in our target.

We can see that our target has 2 vulnerabilities as shown in the above image. We will see how to exploit those vulnerabilities in our future howtos. But for now we have successfully performed a vulnerability assessment of our target.

Posted on 2 Comments

Hack Joomla with Remote Code Execution

Hello Aspiring Hackers. In this howto, we will see how to hack joomla with a RCE exploit. Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database.

We also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialization of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. Joomla has recently released a patch for this vulnerability. Now let us see how to use the Joomla HTTP Header Unauthenticated Remote Code Execution exploit. Start Metasploit. and search for the exploit as shown below.

Type command “show options to see the required options.

Set the remote IP address and set the payload as shown below.

Type command “check” to see whether the target is vulnerable.

Next type command “exploit” to execute the exploit. You will get the remote system’s shell as shown below.

That is how to hack joomla with remote code execution exploit. See how to find out the joomla version running on the target machine.

Posted on 3 Comments

Hack WordPress With Ajax LoadMore exploit

Hello aspiring hackers. In this howto, we will see how to hack wordpress with Ajax Loadmore exploit. n our previous howto, we have seen how to use Joomla com_contenthistory Error-Based SQL Injection exploit. Today we will see how to exploit the WordPress Ajax Loadmore PHP upload vulnerability using Metasploit.

This module exploits an arbitrary file upload in the WordPress Ajax Load More plugin version 2.8.1.1. I have tested this exploit on the above said plugin in WordPress version 4.1.3 on Windows.  The only offside is this exploit requires credentials. Start Metasploit and load the exploit as shown below.

hack wordpress

Set payload as below.

Type command “show options” to see the required options for this exploit.

hack wordpress

Set the required options as shown below. Set the remote IP address, targeturi, password and username as shown below.

After setting all the options, check whether once again as shown below.

Type command “exploit” and we will get the meterpreter session as shown below.

That’s how we hack wordpress with ajax loadmore exploit. Want to learn how Black hat hackers hack? Subscribe to our Digital Magazine Now.