Many a times a vulnerability is released saying that so and so version of a specific software has so and so vulnerability and an exploit is released for that vulnerability. In order for an exploit to work successfully it becomes necessary to find our target’s exact version. For example, take Joomla, a popular CMS. Recently we have seen Joomla HTTP Header Unauthenticated Remote Code Execution exploit which affects Joomla versions 1.5.0 to 3.4.5. We have also seen another exploit “Joomla Error-Based SQL Injection exploit for enumeration ” which affects Joomla versions 3.2 to 3.4.4. To successfully exploit these vulnerabilities, it becomes important to first fingerprint the Joomla version of our target. Luckily Metasploit has an auxiliary module to find out the exact version of our Joomla target. Today we will see fingerprinting Joomla version with Metasploit. Before we start Metasploit, open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. Now start Metasploit and load the module given below. Type command “show options” to see the required options for this module.
We need to set two options: rhosts( which is target IP addresses ) and targeturi. Set targeturi as shown below. Coming to “rhosts” option, copy and paste the IP addresses we got in our shodan search giving space between each IP address as shown below. Here I have given five IP addresses.
Check whether all options are set correctly by typing command “show options“.
Joomla is one of the most popular CMS which is widely used for its flexibility, user-friendlinesss and extensibility. The downside of popularity in software world is that it becomes a target for hackers. We have just recently seen how to exploit some recent vulnerabilities in Joomla. It would be pretty helpful if the users or testers know the vulnerabilities in their Joomla CMS before any hacker takes advantage of them. Joomscan is one such tool which will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.
Joomscan has features like
Exact version Probing
Common Joomla! based web application firewall detection
Searching known vulnerabilities of Joomla! and its components
Reporting to Text & HTML output
Immediate update capability via scanner or svn.
Joomscan is installed by default in Kali Linux. Now let’s see how to use this tool. Open a terminal and type command “joomscan update” first. We will update the tool first.
Once the tool is updated as shown above, type command “joomscan” to see the options as shown below.
Next, give the target joomla website as shown below. In this howto, I’m using my own Joomla website.
The result would seem like below. Below we see that our target doesn’t have any firewall, it’s server is apache and it is powered by PHP version 5.3.10. Unfortunately it didn’t detect the version. Hmm, no probs.
Next it will scan for vulnerabilities and check whether if this site is vulnerable for a particular vulnerability as shown below.
At the end, it will show us the number of vulnerabilities present in our target.
We can see that our target has 2 vulnerabilities as shown in the above image. We will see how to exploit those vulnerabilities in our future howtos. But for now we have successfully performed a vulnerability assessment of our target.
Good Evening friends. Today we will see how to exploit remote machines with Joomla installed on them. Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. We also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. Joomla has recently released a patch for this vulnerability. Now let us see how to use the Joomla HTTP Header Unauthenticated Remote Code Execution exploit. Start Metasploit. and search for the exploit as shown below.
Type command “show options“to see the required options.
Set the remote IP address and set the payload as shown below.
Type command “check” to see whether the target is vulnerable.
Next type command “exploit” to execute the exploit. You will get the remote system’s shell as shown below.
Good evening friends. Welcome back to Kanishkashowto. Today we will see how to hack remote PC with Jenkins CLI RMI Java Deserialization exploit. It exploits a vulnerability in Jenkins. If you don’t know what Jenkins is, it is “an award-winning, cross-platform, continuous integration and continuous delivery application that increases your productivity. You can use Jenkins to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. It also allows you to continuously deliver your software by providing powerful ways to define your build pipelines and integrating with a large number of testing and deployment technologies.” An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. The good thing is authentication is not required to exploit this vulnerability. This exploit works on Jenkins 1.637 version. Ufff, lot of theory, now let’s get into some real stuff.
Start Metasploit and load the exploit as shown below. Type command “show options” to see what are the options required. Set the target address as shown below.
Type command “show payloads” to see the available payloads for this exploit.
Set any payload you want. I chose the above highlighted payload. Set the payload as shown below.
Ok. Run the exploit as shown below. You should get access to the remote system’s shell as shown below.