Archives

All posts for the month January, 2016


Many a times a vulnerability is released saying that so and so version of a specific software has so and so vulnerability and an exploit is released for that vulnerability. In order for an exploit to work successfully it becomes necessary to find our target’s exact version. For example, take Joomla, a popular CMS. Recently we have seen Joomla HTTP Header Unauthenticated Remote Code Execution exploit which affects Joomla versions 1.5.0 to 3.4.5. We have also seen another exploit  “Joomla Error-Based SQL Injection exploit for enumeration ”  which affects Joomla versions 3.2 to 3.4.4. To successfully exploit these vulnerabilities, it becomes important to first fingerprint the Joomla version of our target. Luckily Metasploit has an auxiliary module to find out the exact version of our Joomla target. Today we will see fingerprinting Joomla version with Metasploit. Before we start Metasploit, open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. Now start Metasploit and load the module given below. Type command “show options” to see the required options for this module.

joomla_v1

We need to set two options: rhosts( which is target IP addresses ) and targeturi. Set targeturi as shown below. Coming to “rhosts” option, copy and paste the IP addresses we got in our shodan search giving space between each IP address as shown below.  Here I have given five IP addresses.

joomla_v2

Check whether all options are set correctly by typing command “show options“.

joomla_v3

Next it’s time to run our exploit. Type command “run” and you will get the results as shown below. From our results we can conclude that all of the five targets may be vulnerable to Joomla HTTP Header Unauthenticated Remote Code Execution exploit and targets 2 and 3 may be vulnerable to Joomla Error-Based SQL Injection exploit for enumeration exploit.

joomla_v4


 

Joomla is one of the most popular  CMS which is widely used for its flexibility, user-friendlinesss and extensibility. The downside of  popularity in software world is that it becomes a target for hackers.  We have just recently seen how to exploit some recent vulnerabilities in Joomla. It would be pretty helpful if the users or testers know the vulnerabilities in their Joomla CMS before any hacker takes advantage of them. Joomscan is one such tool which will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

Joomscan has features like

Exact version Probing
Common Joomla! based web application firewall detection
Searching known vulnerabilities of Joomla! and its components
Reporting to Text & HTML output
Immediate update capability via scanner or svn.

Joomscan is installed by default in Kali Linux. Now let’s see how to use this tool. Open a terminal and type command “joomscan update” first. We will update the tool first.

joomscan1

Once the tool is updated as shown above, type command “joomscan” to see the options as shown below.

joomscan2

Next, give the target joomla website as shown below. In this howto, I’m using my own Joomla website.

joomscan3

The result would seem like below. Below we see that our target doesn’t have any firewall, it’s server is apache and it is powered by PHP version 5.3.10. Unfortunately it didn’t detect the version. Hmm, no probs.

joomscan4

Next it will scan for vulnerabilities and check whether if this site is vulnerable for a particular vulnerability as shown below.

joomscan6

At the end, it will show us the number of vulnerabilities present in our target.

joomscan7

We can see that our target has 2 vulnerabilities as shown in the above image. We will see how to exploit those vulnerabilities in our future howtos. But for now we have successfully performed a vulnerability assessment of our target.

Good Evening friends. Today we will see how to exploit remote machines with Joomla installed on them. Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. We also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. Joomla has recently released a patch for this vulnerability. Now let us see how to use the Joomla HTTP Header Unauthenticated Remote Code Execution exploit. Start Metasploit. and search for the exploit as shown below.

joomla_http1

Type command “show options to see the required options.

joomla_http2

Set the remote IP address and set the payload as shown below.

joomla_http3

Type command “check” to see whether the target is vulnerable.

joomla_http4

Next type command “exploit” to execute the exploit. You will get the remote system’s shell as shown below.

joomla_http5

Good evening friends. Welcome back to Kanishkashowto. Today we will see how to hack remote PC with Jenkins CLI RMI Java Deserialization exploit. It exploits a vulnerability in Jenkins. If you don’t know what Jenkins is, it is “an award-winning, cross-platform, continuous integration and continuous delivery application that increases your productivity. You can use Jenkins to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. It also allows you to continuously deliver your software by providing powerful ways to define your build pipelines and integrating with a large number of testing and deployment technologies.”  An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. The good thing is authentication is not required to exploit this vulnerability.  This exploit works on Jenkins 1.637 version. Ufff, lot of theory, now let’s get into some real stuff.

Start Metasploit and load the exploit as shown below. Type command “show options” to see what are the options required. Set the target address as shown below.

jenkins1

Type command “show payloads” to see the available payloads for this exploit.

jenkins2

Set any payload you want. I chose the above highlighted payload. Set the payload as shown below.

jenkins3

Ok. Run the exploit as shown below. You should get access to the remote system’s shell as shown below.

jenkins4

You can run any commands as shown below.

jenkins5