Good Evening friends. Today we will see how to exploit remote machines with Joomla installed on them. Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. We also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. Joomla has recently released a patch for this vulnerability. Now let us see how to use the Joomla HTTP Header Unauthenticated Remote Code Execution exploit. Start Metasploit. and search for the exploit as shown below.
Type command “show options“ to see the required options.
Set the remote IP address and set the payload as shown below.
Type command “check” to see whether the target is vulnerable.
Next type command “exploit” to execute the exploit. You will get the remote system’s shell as shown below.
Good Evening Friends. In our previous howto, we have seen how to use Joomla com_contenthistory Error-Based SQL Injection exploit. Today we will see how to exploit the WordPress Ajax Loadmore PHP upload vulnerability using Metasploit. This module exploits an arbitrary file upload in the WordPress Ajax Load More plugin version 188.8.131.52. I have tested this exploit on the above said plugin in WordPress version 4.1.3 on Windows. The only offside is this exploit requires credentials. Start Metasploit and load the exploit as shown below.
Set payload as below.
Type command “show options” to see the required options for this exploit.
Set the required options as shown below. Set the remote IP address, targeturi, password and username as shown below.
After setting all the options, check whether once again as shown below.
Type command “exploit” and we will get the meterpreter session as shown below.
Good Evening Friends. Today we will see how to exploit the “Joomla Error-Based SQL Injection” vulnerability found recently to enumerate usernames and password hashes found in remote servers where Joomla is installed. This vulnerability is found in Joomla versions 3.2 to 3.4.4. Now let’s see how to use this exploit to enumerate usernames and password hashes. This exploit is available in Metasploit. I am testing this exploit on Joomla version 3.4.4.
Start Metasploit and load the exploit as shown below.
Set the required options as shown below and type command “exploit”. After some time, a text file containing usernames and password hashes is downloaded and stored in your system as shown below.
Now open the text file with any text editor available in kali Linux. I have used gedit.
This is the text file we have downloaded. As you can see below, we can see usernames and password hashes of the joomla installation.
Good Evening Friends. Recently Metasploit released an exploit for the Nibbleblog file upload vulnerabiltiy. To those people who don’t know what is Nibbleblog it is a powerful engine for creating blogs. In fact we can say it is the simplest blog creation system. In this scenario, we will hack a remote system which is using Nibblebog 4.0.3. We will upload a file into the remote system using nibbleblog File upload vulnerabilty. The only downside of this exploit is that it requires credentials. Update Metasploit and start it. Type command “search nibbleblog” to search for all exploits related to nibbleblog as shown below.
Load the exploit as shown below.
Set all the options required as shown below. I am running nibbleblog on my wamp server on another system. So I am giving its IP address below.
Type command “show payloads” to see the payloads available for this system. You will see all the available options as shown below.
Choose the payload “php/meterpreter/reverse_tcp”.
Set the required options. i.e lhost which is IP address of your Kali machine. As I already told you, we need the credentials of the blog we wanna hack. Type command “exploit“. Eventhough you get error as shown below, don’t worry, your exploit has successfully run. The file has been uploaded.
Now we have start a listener to listen to our reverse_tcp connection. Load the listener exploit as shown below. Set all the required options as shown.
Type command “exploit“. The exploit will run and stop at the shown below stage.
Now open browser. The file you just uploaded is saved by default as image.php in the remote system. Now go to the exact path as highlighted below. The only thing that may change for you is IP address. Hit on enter.
Now if you go back to the terminal, You should have already got meterpreter session as shown below. Happy Hacking.
Hope it was helpful.